# CA Integration Work - Status & Resume Guide

**Last Updated:** 2026-01-25
**Status:** Phase 1 Complete ✅ - Ready for Phase 2

## Quick Summary

You were concerned that your internal CA server (10.0.10.15, CT 115) wasn't being used by services, causing certificate warnings when accessing them remotely. We've completed Phase 1 of fixing this.

## What's Been Done ✅

### Phase 1: Internal HTTPS (Complete)
- ✅ Distributed homelab CA root cert to all containers, Proxmox hosts, and VPS
- ✅ Deployed Caddy reverse proxy on CT 127 with SSL termination
- ✅ All Docker services (Sonarr, Radarr, Prowlarr, Bazarr, Deluge, Calibre, Vikunja, Dockge) now have HTTPS

**Key Files:**
- [CA-DEPLOYMENT-SUMMARY.md](CA-DEPLOYMENT-SUMMARY.md) - Complete documentation
- [scripts/deploy-ca-certificates.sh](scripts/deploy-ca-certificates.sh) - Automation script
- Caddy config: `/opt/caddy-internal/Caddyfile` on CT 127

**Services:** All accessible at `https://<service>.nianticbooks.home`

**Caddy Container:**
- Running on CT 127 (10.0.10.27)
- Container name: `caddy-internal`
- Listens on port 443 (HTTPS only)
- Uses Caddy internal PKI (self-signed certificates)

## What You Still Need To Do

**Immediate (to remove browser warnings):**
1. Install CA certificate on your devices: `Caddy-Internal-Root-CA.crt` (in this directory)
   - See CA-DEPLOYMENT-SUMMARY.md for platform-specific instructions
2. Add DNS entries or edit hosts file:
   ```
   10.0.10.27  sonarr.nianticbooks.home radarr.nianticbooks.home prowlarr.nianticbooks.home ...
   ```

## What's Still Needed (Phase 2)

### High Priority

1. **Migrate to Step-CA ACME** (instead of Caddy internal PKI)
   - Problem: CA server cert at 10.0.10.15 doesn't have IP SAN
   - Solution: Regenerate CA server cert with IP SAN, or use DNS name
   - Benefit: Single CA for entire homelab

2. **Add SSL to remaining services:**
   - Home Assistant (10.0.10.24) - has SSL, needs CA-signed cert
   - Proxmox hosts (10.0.10.2, 10.0.10.3, 10.0.10.4) - have SSL, need CA-signed certs
   - n8n (10.0.10.22) - HTTP only
   - Authentik (10.0.10.21) - HTTP only
   - Grafana (10.0.10.25) - HTTP only

3. **Update VPS Caddy:**
   - Configure VPS Caddy to use internal CA for public services
   - Fixes cert warnings when accessing services from outside network

### Lower Priority

- Update SERVICES.md with new HTTPS endpoints
- Set up certificate expiration monitoring
- Add more services as needed

## How To Resume This Work

**To continue CA integration:**
```bash
cd ~/projects/infrastructure
# Review current state
cat CA-DEPLOYMENT-SUMMARY.md
cat CA-WORK-IN-PROGRESS.md  # This file

# Check Caddy status
ssh root@10.0.10.3 "pct exec 127 -- docker logs caddy-internal"

# Continue with Phase 2 tasks above
```

**To modify Caddy configuration:**
```bash
ssh root@10.0.10.3
pct exec 127 -- bash
cd /opt/caddy-internal
nano Caddyfile
docker restart caddy-internal
```

**To add more services:**
1. Edit `/opt/caddy-internal/Caddyfile` on CT 127
2. Add new service block (see existing examples)
3. Restart: `docker restart caddy-internal`
4. Add DNS entry or hosts file entry

## Key Locations

**CA Certificates:**
- Homelab CA root: `/usr/local/share/ca-certificates/homelab-ca.crt` (on all systems)
- Caddy internal CA: Extract with `docker exec caddy-internal cat /data/caddy/pki/authorities/local/root.crt`
- Step-CA root: `/etc/step-ca/.step/certs/root_ca.crt` on CT 115

**Caddy Configuration:**
- Config directory: `/opt/caddy-internal/` on CT 127
- Caddyfile: `/opt/caddy-internal/Caddyfile`
- Docker compose: `/opt/caddy-internal/docker-compose.yml`
- Certificate storage: Inside container at `/data/caddy/certificates/local/`

**Services:**
- CA Server: 10.0.10.15 (CT 115) - ACME endpoint: https://10.0.10.15:8443/acme/acme/directory
- Caddy proxy: 10.0.10.27 (CT 127) - Port 443

## Problem Context (Why We Did This)

**Original Issue:**
- You have many Docker services with web UIs
- They were HTTP only, causing download/connection issues
- When accessed remotely through VPS Caddy, certificate warnings appeared
- Your internal CA server wasn't being utilized by services

**Solution Implemented:**
- Deployed SSL reverse proxy for all internal services
- Distributed CA certificates to trust the proxy
- Now all services have HTTPS with valid certificates (once CA cert installed on clients)

## Commands Reference

**View Caddy logs:**
```bash
ssh root@10.0.10.3 "pct exec 127 -- docker logs caddy-internal -f"
```

**Restart Caddy:**
```bash
ssh root@10.0.10.3 "pct exec 127 -- docker restart caddy-internal"
```

**Check listening ports:**
```bash
ssh root@10.0.10.3 "pct exec 127 -- ss -tlnp | grep caddy"
```

**Redeploy CA certificates (if needed):**
```bash
cd ~/projects/infrastructure
./scripts/deploy-ca-certificates.sh
```

---

**Git Commit:** `2418b48` - Deploy CA certificates and internal HTTPS reverse proxy
**Branch:** master
**Files Modified:** CA-DEPLOYMENT-SUMMARY.md, scripts/deploy-ca-certificates.sh, scripts/setup-internal-caddy.sh