- A Mind for Numbers
- Accelerate
- Agile Project Management for Dummies
- Algorithms to Live By
- Atomic Habits
- AWS Certified Cloud Practitioner Study Guide
- Banking on It
- Brexitland
- Build Your Dream Network
- Bulletproof SSL and TLS
- Business Analysis
- Collapse
- CompTIA Security+ Practice Tests
- CompTIA Security+ Study Guide
- Corporate Rebels
- Countdown to Zero Day
- Creative Acts for Curious People
- Creative DIY Microcontroller Projects with TinyGo...
- Cryptanalysis
- Crypto Trader
- Cryptography
- Culture Code
- Daniel Goleman Omnibus
- Deep and deliberate delegation
- Dhl
- Drive
- Effective Python
- Every Tool's a Hammer
- Exam Ref AZ-900 Microsoft Azure Fundamentals
- Expert Scripting and Automation for SQL Server...
- Fifty Quick Ideas to Improve Your User Stories
- Fixing Your Scrum
- Fundamentals of ServiceNow Administration and...
- Future Leader
- Future of Violence - Robots and Germs, Hackers and...
- GCHQ Puzzle Book
- Getting Things Done
- Harvard Business Review manager's handbook
- Hooked
- How Google Works
- How to Take Smart Notes
- How to Win Friends and Influence People
- HTML and CSS
- I Think, Therefore I Am
- Itsm Value Streams : Transform Opportun
- JavaScript and jQuery
- Kill It with Fire
- Leaders Eat Last
- Leading change
- Leading Without Authority
- Lean Thinking
- LONDON'S UNDERGROUND.
- Managing Successful Projects Prince2
- Managing Successful Projects with PRINCE2
- Measure What Matters : OKRs
- Meteorology today
- Mindf*ck
- Modern Cryptanalysis
- Modernist cuisine at home
- Money Revolution
- Never Split the Difference
- New One Minute Manager
- Open Circuits
- Oversubscribed
- Permanent Record
- PHP 5 advanced
- Practical Docker with Python: Build, Release and...
- Practical electronics for inventors
- PRINCE2 for dummies
- Pro Python 3: Features and Tools for Professional...
- Pro SQL Server Always On Availability Groups
- Pro SQL Server on Linux: Including Container-Based...
- Professional Scrum Master Guide
- Project to Product
- Radical Simplicity
- Rules of People
- SAFe 5.0 Distilled
- Sapiens
- SEARCH INSIDE YOURSELF- TPB
- Secret Barrister
- Securing SQL Server: DBAs Defending the Database
- Site Reliability Engineering
- SQL Server 2017 Administration Inside Out
- Start with Why
- System Center Configuration Manager Current Branch...
- T-SQL Fundamentals
- Teach Yourself Electricity and Electronics,...
- Teach Yourself Setting Up a Small Business (Teach...
- Team Topologies
- The Art of Deception
- The art of invisibility
- The Chimp Paradox How Our Impulses And Emotions...
- The coaching habit
- The code book
- The Courage To Be Disliked
- The DevOps handbook
- The Epic Guide to Agile
- The Five Dysfunctions of a Team: A Leadership...
- The Go Programming Language
- The Golden Ratio
- The Introvert's Guide to the Workplace
- The Manager's Path
- The New Silk Roads: The Present and Future of the...
- The outward mindset
- The Phoenix Project
- The Professional Product Owner
- The Unicorn Project
- Turn The Ship Around!
- Visual Thinking
- Weapons of Math Destruction
- Who Moved My Cheese?
- Work Rules!
- Working Out Loud
- Writing An Interpreter In Go
- Wrong Fit, Right Fit
Secure Your Home Lab With Lets Encrypt SSL Certificates, Caddy and Mythic Beasts DNS
A Home Lab is a valuable asset for any Developer or Engineer to support their personal development, personal projects, and experimentation.
Web security is relentlessly improving, so we need to adapt our ways of working in order to support this. The days of running Production websites over plaintext http are long gone, and therefore we should also reflect this in our Home Labs too.
There are many different ways to create a professional looking and secure Home Lab. I have documented below the way that I provision SSL Certificates and HTTPS in my own Home Lab.
Caddy is a powerful web server that can secure web traffic with HTTPS automatically using Let’s Encrypt SSL certificates. Mythic Beasts provide an excellent service for domains, DNS, hosting websites and applications, email, virtual machines, and Raspberry Pi computers.
If your Caddy server is accessible on the Internet with a valid DNS record, it will use a HTTP challenge to validate that you own the domain and web server.
In a development or lab environment, or for your home automation server, you may not wish to expose your web server to the Internet, so another method of validation is required. Even within these environments it’s great seeing the secure padlock symbol in the browser, and considering you can obtain SSL certificates for free, it’s always good practice to create something you would expect to see in Production, even if it’s a Non-Production environment. Non-Production is often Production for someone.
A DNS challenge can be used during the SSL certificate provisioning process instead, which involves setting a DNS TXT record to a certain value. Let’s Encrypt can detect the creation and value of the DNS record and validate ownership without ever connecting to the web server itself. If you have permission to manipulate the DNS records, then you are considered to own the domain.
Mythic Beasts provide an API to manage their DNS service, as well as other services, and a community supported Caddy module has been created to automatically interact with it to create the necessary DNS records.
Caddy with Mythic Beasts DNS module Setup
These steps have been tested on a Raspberry Pi 4 running Raspbian
- Download and install the latest version of Go for your system, using the installation steps
- Check Go is working using
go version
- Download and install xcaddy for your system from their latest releases
- Build a Caddy binary with the community supported Caddy module using
xcaddy build --with github.com/caddy-dns/mythicbeasts
- Install the Caddy binary using the Keep Caddy Running steps
- Create API credentials on Mythic Beasts using the steps on Automating DNS challenges. I needed to create a wildcard credential for all records in the zone, for all record types. This is more permissions than it should require, so the Caddy module is doing something differently to other ACME clients that use the API
- Create the Caddyfile, including the credentials for the Mythic Beasts module using the environment variables as they are in the community supported Caddy module README.md file. These could be added to the systemd service file, if this was the method used to start Caddy
- Start Caddy using your chosen method and watch the journal / logs for successful provisioning of the SSL certificate.
- In my configuration, the internal Caddy files, like keys and certificates, can be found using
sudo find /var/lib/caddy/
Example Configuration files
Example Caddyfile configuration for DNS challenge. It relies on a Caddy binary with the community supported module compiled into it. In this case, it is configured as a reverse proxy.
domainname.com {
reverse_proxy 192.168.1.100:8000
tls {
dns mythicbeasts {
key_id {$MYTHICBEASTS_KEYID}
secret {$MYTHICBEASTS_SECRET}
}
}
}
Example /etc/systemd/system/caddy.service, including environment variables where you may wish store your API credentials. Just remember that this is a plain text file sitting on your file system, so use with caution and asses your security requirements for your system. The paths may need changing for your system.
# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Environment=MYTHICBEASTS_KEYID=aaaaaaaaaaaaaaaa
Environment=MYTHICBEASTS_SECRET=bbbbbbbbbbbbbbbbbbb
Type=notify
User=caddy
Group=caddy
ExecStart=/opt/caddy/caddy run --environ --config /opt/caddy/Caddyfile
ExecReload=/opt/caddy/caddy reload --config /opt/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target