Is there a self hosted mTLS manager?
from possiblylinux127@lemmy.zip to selfhosted@lemmy.world on 04 Jan 04:10
https://lemmy.zip/post/56296616
from possiblylinux127@lemmy.zip to selfhosted@lemmy.world on 04 Jan 04:10
https://lemmy.zip/post/56296616
I’m looking for a self service type page that allows me to sign in and download new certs.
threaded - newest
You mean a self hosted CA? Yes there are tons of those.
I self-host a CA server with [step-ca](github.com/smallstep/certificates], and I also use it to create my mTLS certs.
In the interest of giving more than “there are tons of those” I’ll suggest starting the search with https://caddyserver.com/
It provides a CA, reverse proxy, and can act as its own ACME server, providing mTLS between instances.
mTLS is mutual TLS, more commonly known as client cert authentication (alongside the modern standard server authentication), for anyone else who has never heard of it by that name
I’ve never heard it called anything but mTLS. :shrug:
mTLS is the more common name these days.
VaulTLS: github.com/7ritn/VaulTLS
This is what I was looking for
Container crutches. Ew. And if a dev can’t spell self-hosted, then I don’t trust them to do it properly.
If you feel up for answering, what is your use case for wanting to manage your own mTLS?
My main use case is using it to protect my exposed Home Assistant instance in a way that doesn’t require a VPN that family can screw up. I can just install the cert into the app for them and it Just Works. I also use it for my own Gotify notifications.
As a more general rule, I apply it to anything I want to expose but can’t easily protect using OIDC logins. I used to put more behind it, but I recently opened up my services to friends and family, so I moved to using Authentik as my primary defense for most things. mTLS was great when it was just me, I can easily install the cert into my own browser and all of my Android apps (except Firefox Android…) but friends and family just zone out when I explain why their new phone doesn’t connect, so I had to adjust my systems to compensate.
I’ve found Authentik’s proxy will break things that don’t support it (like a Jellyfin app; afaik no app supports hitting an Authentik proxy login first). Do you have a way around that? Or are the friends/fam web-browser only unless they get around to the certificate?
You can use Authentik to setup an LDAP outpost then use a jellyfin LDAP plug-in to sync everything up.
github.com/jellyfin/jellyfin-plugin-ldapauth?tab=…
I don’t want to manage my mTLS. That’s why I’m looking for a better solution.
To actually answer your question, I use mTLS to protect all my self hosted services. It is highly secure since it operates on the transport layer.
Gotchya, so at the reverse proxy stage you have a pathway for “if they have the mTLS certificate, allow in” to let you access your stuff from outside your local network?
I use Minica and it’s insanely simple to use. Terminal based though.
github.com/jsha/minica
Give the Pangolin project a look.
It’s a reverse proxy with tunneling solution that can expose domain names to the internet without having to manage the certificates or open ports.
I use it in my home lab and it’s very very good
docs.pangolin.net