Text version of the video with all the commands: notthebe.ee/blog/easy-ssl-in-homelab-dns01/ To try everything Brilliant has to offer-free-for a full 30 days, visit brilliant.org/Wolfgang/ The first 200 of you will get 20% off Brilliant’s annual premium subscription

This video could not have come at a better time! I've just started putting together my own home server and I've been driving myself insane with self-signed certificates. Thanks!

My man! You are my hero. I've watched so many videos trying to figure out how to do this exact thing and you explained it all so perfectly. And the written guide to accompany it was an added bonus and very much appreciated. Thank you, sir!

Very nice video, this setup is more convenient than my own dns server. For anyone using a fritzbox router: You have to add your full domain as an exception to the "DNS rebind protection", because the fritzbox does not allow DNS resolution of domain names that point to private ips to protect against DNS rebinding attacks

NPM is freakin awesome. It's crazy how easy it is to get setup and going with it and boom...you've got proper SSL and routing.

"Don't worry about it! Not every bad thing in life is your fault." Thanks man I needed that.

Thank you, sir! This is a great video. For anyone using pfsense on their home network -- with a different domain than your purchased domain for your home lab -- you are going to want to add DNS host overrides for your purchased domain and the hosts that you are going to be proxying, all pointing to the IP address of the nginx proxy manager.

This is the simplest way to tackle certs I've seen, definitely trying this! I've been putting it off in my homelab for ages.

Wow, thank you for this video! I didn't know (or think of) that you could point a domain name to a private IP address. That makes creating SSL certificates super easy like this! Love you

I use exactly this setup for over a year and it just works flawlessly. Even auro-renewing the let's encrypt cert works without any issues.

I was almost giving up, but I saw the video and the kind explanation was sweet rain for a beginner like me. Thank you so much

You are the man, I love when propagating the quote you said "Not every bad thing in life is your fault". video helped me a lot but there are still crazy questions in my mind.

wait y'all are using an application to manage your nginx reverse proxy? I was editing config files like a madman here 😭

Tausend Dank Wolfgang. This is exactly what I was looking for. I was this close to setting up my own CA and getting a headache trying to add the root certs to all the devices.

Thank you - as I use Pi-hole, I had to add entries to the pi-hole local dns with the (sub-)domain names pointing to the proxy-manager. After that it run as you explained it.

Awesome tutorial, thanks. Just a quick note: if you want to proxy an app that is either a docker container or a non docker app, put in the IP address of the host machine, NOT 127.0.0.1. My npm container was attached to a network device in bridged mode, instead of host. So it didn't see any other containers. I was stuck on that for a while but maybe it helps someone else.

Dude... this intro speaks directly to my soul. Completely spot-on how it feels. The Blade Runner segment is perfect. Going to do this on my home lab, that's turned into something I'd see in the field, at work. Too funny man 😂😂 *joined* 😂😂❤

This was just fantastic. I didn’t know I needed something like this in my life until I saw the video. Very well done thanks a lot.

Add portainer to this and you have an easy way to manage all your containers. :)

Thanks so much. Just what I needed. I don't expose anything to the internet and nice to know that I can do all this local.

Makes sense, though the traffic between the proxy and the service that is being accessed is still unencrypted correct? This gives the appearance like local traffic is encrypted, but really local traffic passes unencrypted to the reverse proxy before it is encrypted. I think it would have made sense to take an extra step and create a self-signed certificate that would be installed on the service and validated by the reverse proxy to ensure end-to-end encryption. Unless I'm missing something?

Just wanted to thank you, this was precise what I was looking for. Thanks for the clear explanation. You got yourself a new subscriber.

Your Video is like a rescue ring. I had trouble understanding this concept with the traefik guides from Techno Tim but now that you've implementet a sceamtic drawing it helped alot. Thanks! Again a Video to exact right time :D My instructor wanted me to get the basic of dns and teach myself but i was only stuck at this internal external stuff so you safed me :D

This is such a great feature for self-hosting. Thanks for sharing. It's worth noting that some routers like Fritzboxes have a "DNS rebind protection" where you must add an exception. Otherwise you will bang your head against the wall why it doesn't work, like i did.

Yet another great video Wolfgang. Outstanding work. I've been wanting to do this for a while for my homelab and this video is the push I needed. Thank you.

Lots of information in this video, thank you. The text-blog was very helpful to see the commands without copying them from the video.

I’ve found that some services require some special headers and if not configured correctly they break, that’s the hardest part for me, as finding the nginx headers needed for each services can be difficult

Thank you so much for this video, 1 thing I don't think anyone ran into is I had to wait almost a day for my registrar to reflect the IP changes. 🤦Now that I found you I'm going to look through your other video's Thanks again.

you skipped the cloudflare api token, but with some extensive google search i found that you need to create your own API token with edit dns zones permissions set to all zones

Wow, Thank you soooooooo much, You have no idea how much headache I went through just to land here and it worked.

Another great video. Clean and simple. Please, you need to teach us how to configure a home assistant dashboard like yours! 🤟

I finally got to set this up after watching the video months ago. I should have set up proxies long ago, much more convenient. One thing to mention is that this method works well with tailscale as well. I just put my server's tailscale IP instead of local network IP and it works perfectly. Really useful for privately sharing linux isos with friends.

Good to see a well done tutorial on the exact thing I’ve been trying to achieve for ages!

Thank you for this video, have always been wanting to access all my services through https rather than typing in my IP every time but couldn't as I thought it will take some time for me to study the nuances of the process. This has been an easy and fast setup.

I can't get this to work with my Cloudflare domain. Any pointers?

holy snap.. 20 seconds from 1:00 and my mind is blown. Of course that would work. It's so easy and it solves EVERYTHING.

This solution is simply brilliant. I was searching for years for such an amazing and simple solution. Thank you.

I have been following this channel for years and did not realized I am not subscribed.

Even if i turn off the certificate and i set the ip to the ip of an other of my homeservers, the forwarding does not work . I get a connection refused error. What is the best way to debug that?

This video was right on time! I was exploring how could I deploy things locally without deal with IPs and cert issues. Very valuable info, thanks for sharing.

Btw, great video! Thanks for explaining everything in such a concise and easy to understand manner. Just a heads up, apparently this method doesn't fully work on Chrome if you have Safe Browsing Standard or Enhanced protection enabled, for me I get the "Deceptive site ahead" warning for some of my local apps, like Jellyfin for example, but I don't get the warning for other apps like Code Server, so idk, just wanted to let you know. On Firefox I don't get warnings no matter what though, so that works just fine.

Pretty awesome and relatively easy to setup! One issue I noticed is that Safari password autofill treats everything under the proxy as the same site... meaning it will suggest passwords for services with different hostnames. This can get a bit unwieldy if you have a lot of services with their own username/passwords.

this is EXACTLY what I was looking for. You are a lifesaver! (I know I know.. first world problems)

I'm so excited that I hit the like and subscribed at 1:37. Now continuing with the video! SSL freedom.

Thank You, I had been using an SSL per domain, didn't know you could create just one SSL cert. Now i do an have it set up thanks.

I can not thank enough for this video. I was struggling to figure this out and your video helped me. Thank you

hi, it seems is not working anymore, the certificate is added to the domain (using duckdns) but when you try to add it to your proxy host is in red state and it doesn't work. Does it work for anyone at this moment? (october 20. 2024). Also another domain I have with godaddy doesn't work because they have limited their API usage

To make the DNS resolution of the new domain name work in my LAN I had to add an exception for that domain to the "DNS rebind protection" configuration of my Fritzbox.

One minor correction about setting proxy hosts. Setting the forward hostname as localhost for any containers other than the Nginx Proxy Manager container leads to a 502 Bad Gateway error, even if all containers are running on the same network. I resolved it by using the IP address instead of localhost.

Hey, very nice video, but i got an issue, i already use the nginx proxy manager in combination with a domain and cloudflare to expose some stuff to the outside world. is it also possible to use the same nginx pm and domain for the local ssl stuff?

Gracias por este valioso contenido, hace tiempo que no encontraba como asignarle certificados válidos a un servicio que estuviera fuera Docker, pero ahora ya me di la idea de como poder solucionarlo gracias a tu vídeo ✌️

Danke Wolfgang! I find it absurd that we need to jump through these hoops, just to have valid SSL in our home networks, but you made those hoops much easier to jump through :)

pro tip: mine even with 120 didnt work, but 240 did!

Thank you for this video. I have set it up at home, no longer public visibility for some services. Combined with Tailscale router (to access your local networks), it rocks !

Nice video! I've been doing something similar: wildcard certificates and wildcard dns pointing at my home's public IP. Then I have an nginx reverse proxy + SSL terminator and configs for my services. If I want a service to be publicly reachable, all I do is add an nginx config and boom, done. If I want something to be available only locally, I simply add an override into my pihole dns server or just add an ip-based allow/deny block to the nginx config. Simple, and the wildcards add a bit of security by obscurity - no more bots finding services by reading the DNS or certificate data. I'm getting my certs using dns-01 with the lego acme client.

I've been waiting for this for years...Thank you!!!!!!!!

Does this have auto renewals of certs ?

Please make a video on how to setup pihole as DNS server on docker...

Hi, thank you for that vdieo I built an Unraid server two years ago and I have been trying to fix that certificate issue since then. Unfortunately it does not work like described. After setting it up like you did with duckdns and nginx I can open the NGinx WEBUI like you butr any other proxy host gives me a 502 bad gateway error (tried vaultwarden and jellyfin) any idea what I could do wrong?

Omg this is EXACTLY what i've been looking for for months! Thank you so much! That's a sub

en-jinx one minute, engine-x the next! this is calculated trolling to stir up as much grumbling on both sides as possible

You are an absolute legend for this video! I've been trying to fix my reverse proxy and could not get it to work. The "Propagation Seconds" change was an absolute saver! Thanks!

Doesn't work for Cloudflare. There is no way of mapping an IP address for a challenge and when you add your name servers after the domain it fails. I don't want to use Duck DNS though. Maybe a video on how to do this using Cloudflare would be cool.

This doesn't work for me. I didn't use duckdns, instead my own domain. I have the SSL certificate setup, I've likewise added in the * subdomain, and it doesn't route.

The is NOT a video about Easy Local SSL Certs.

This worked great on putting https secure connection locally on my new Raspberry Pi 5 running CasaOS! I just had to do a few modification on the ports and IP addresses but everything worked correctly at the end! Thanks! 👍

what a waste of time

man i spent so long looking for a video like this, and it shows up right after i got it working. wouldve been nice to get this recommendation first lol

I'm only 1 min. 20 secs in the video and already hit the like button. I'm sure this will be better then my self signed certificates :)

Thank you for this! It seemed complicated but after following along I got everything working perfectly.

Thankss ! Love how clear and fast you explain everything

are you telling me i have been messing with the config file all this time while this existed? well im glad i found this now lol

Great video as always. Thank you for sharing it with us. I am using pfSense in my environment and having HAProxy, however I needed a second proxy manager, your video helped me a lot with setting up the second one. 👍

I didn't know I needed this video until it was recommended to me. Amazing video and great explanations. Thanks for the caption. Greetings from Brazil. ✌🏽

Learned something new, I wasn't aware that Letsencrypt can do wildcard certificates by now 🙌

Very concise tutorial, thanks for sharing. But I deployed npm instead of docker-compose on truenas scale and I'm experiencing `ERR_CONNECTION_REFUSED` issue, I tried many tutorials on the web but nothing worked, is it my home ISP or router that is blocking access? I also tried configuring a firewall on my router to pass the target port 80, 443

Awesome! This was the exact video I needed to find. My local homelab is now secure and I can now use very long domainnames! Haha!

excellent. exactly what i was looking for. and thank you for having this info in blog post format too.

Although I made it work, the only service I can access with the name:port is just the nginx proxy, all the others I have to use the server address, first I thought it was the ports beyond some point or numbers, but I see yours works fine. How did you do it ? Pihole or just the container name ? I saw the video but I didn´t get it right.....

Seriously thank you so much for this.... I have been trying to find something like this but no one had a solution for this !!!

I set up passbolt last night and have the problem you just solved in this video thank you

I hope there's a part 2 to this video describing how to set it up so it works from the outside. I suppose using tailscale would allow it, and it has been noted in the comments, but a walkthrough would be appreciated. Looks like I'm not alone with this question here.

This is an amazing video, thank you very much. SSL cert errors set me off. I followed this and it worked flawlessly. I think modified to use my Tailscale VPN IP addresses and now I can access my home lab services anywhere with a nice certificate, makes me happy. Time to touch grass, thanks again.

Great video. Got me up and running when I first set up npm. I changed to custom certs from Cloudflare, which last for 15 years though.

Man this video is exactly what I was looking for. Thank you

Danke Wolfgang, dank deiner Anleitung war die Einrichtung sehr einfach! :)

You uploaded this video at a weirdly perfect time for me.

"not every bad thing in life i your fault". Thank you, I actually feel better now

Ok this was easy to follow until I needed to add the trusted proxies in my home assistant configuration.yaml. Which IP's should I add there? My home assistant 192 IP? Or another one, and if so were do I find the IP to put in the config?

This is what i have been searching for. Thanks for the super easy to follow video. Saved me lots of pain. Great work. Cheeeeeeeeers!

Still a hero video! Thank you very much!

Great and to-the-point video! I have a domain already at GoDaddy, and I'm kind of confused how to get an API key for the DNS verification. Any inputs?

I've been going mad trying to get step-ca to work. Had no idea you could put a private IP in the public DNS record. Very simple solution.

Hello, tks very much for this video.One question: I have a Synology NAS running some Docker apps and I would like to know if you can also upload a video of how create local certificates for the Synology NAS running DSM 7.2 which includes its own NGINX proxy

This is pretty nifty. I guess the logical next step is to setup and use a VPN, so that these url's can resove for devices on VPN when outside of LAN. As well as setup Dashy / Homer for all the services.

Have you tried to renew SSL certificate? I am able to add new Lets encrypt certificate via duckdns for different domain but I cannot renew the old one. I see the "Internal error" on the UI when I try to renew it manually and the message "Failed to renew certificate npm-2 with error: The DNS response does not contain an answer to the question: .. IN TXT" in the log.

I had to add a *wildcard domain in my Local router via unbound DNS. To be able to resolve the domain and subdomains locally still. But after that everything worked

Works great on an Ubuntu VM instance running under proxmox. But I also like to torture myself trying to get these solutions to run under W11 > WSL2 > Docker > NPM, no luck so far no doubt some firewall issue. Thanks for the tutorial short and to the point.

Great tutorial - worked like a charm!

omg I was waiting for a tutorial using precisly docker and DuckDNS together and you just upload this perfect tutorial ! You save my time