fred/homelab-docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
homelab-docs/infrastructure/CA-DEPLOYMENT-SUMMARY.md

7.6 KiB
Raw Permalink Blame History

CA Certificate Deployment Summary

Deployment Date: 2026-01-25 Deployment Status: Complete - Phase 1

What Was Deployed

1. Homelab Internal CA Root Certificate Distribution

The internal CA root certificate from your Step-CA server (10.0.10.15, CT 115) has been installed on:

LXC Containers

  • CT 102 - PostgreSQL (10.0.10.20)
  • CT 106 - n8n (10.0.10.22)
  • CT 127 - Dockge (10.0.10.27)
  • CT 128 - Uptime Kuma (10.0.10.26)
  • ⚠️ CT 104 - Authentik (10.0.10.21) - Not running during deployment

Proxmox Hosts

  • main-pve (10.0.10.3)
  • pve-router (10.0.10.2)
  • pve-storage (10.0.10.4)

VPS

  • 66.63.182.168 (vps.nianticbooks.com)

Location: /usr/local/share/ca-certificates/homelab-ca.crt on all systems

2. Internal HTTPS Reverse Proxy Deployment

Service: Caddy Internal Proxy Location: Docker container on CT 127 (10.0.10.27) Container Name: caddy-internal Configuration: /opt/caddy-internal/ on CT 127

Services Now Available via HTTPS

All services are accessible at https://<service>.nianticbooks.home:

Service HTTPS URL Backend Port
Sonarr https://sonarr.nianticbooks.home 8989
Radarr https://radarr.nianticbooks.home 7878
Prowlarr https://prowlarr.nianticbooks.home 9696
Bazarr https://bazarr.nianticbooks.home 6767
Deluge https://deluge.nianticbooks.home 8112
Calibre-Web https://calibre.nianticbooks.home 8083
Vikunja https://vikunja.nianticbooks.home 3456
Dockge https://dockge.nianticbooks.home 5001

Certificate Type: Caddy Internal PKI (self-signed) Certificate Authority: Caddy Local Authority - 2026 ECC Root

Client Configuration Required

To access these services without certificate warnings, you need to install the Caddy Internal CA certificate on your client devices.

CA Certificate Location

The Caddy internal root CA certificate is saved at:

  • Infrastructure Repo: ~/projects/infrastructure/Caddy-Internal-Root-CA.crt
  • On Server: Extract with docker exec caddy-internal cat /data/caddy/pki/authorities/local/root.crt

Installation Instructions

Windows

  1. Download Caddy-Internal-Root-CA.crt from the infrastructure repo
  2. Double-click the certificate file
  3. Click "Install Certificate"
  4. Select "Local Machine" (requires admin)
  5. Choose "Place all certificates in the following store"
  6. Click "Browse" and select "Trusted Root Certification Authorities"
  7. Click "Next" and "Finish"

Linux/WSL

sudo cp Caddy-Internal-Root-CA.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

macOS

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain Caddy-Internal-Root-CA.crt

Firefox (All Platforms)

Firefox uses its own certificate store:

  1. Open Firefox Settings → Privacy & Security → Certificates → View Certificates
  2. Click "Authorities" tab → "Import"
  3. Select Caddy-Internal-Root-CA.crt
  4. Check "Trust this CA to identify websites"
  5. Click OK

DNS Configuration

For the .nianticbooks.home domains to resolve, add to your DNS server (UCG Ultra DHCP/DNS):

sonarr.nianticbooks.home    → 10.0.10.27
radarr.nianticbooks.home    → 10.0.10.27
prowlarr.nianticbooks.home  → 10.0.10.27
bazarr.nianticbooks.home    → 10.0.10.27
deluge.nianticbooks.home    → 10.0.10.27
calibre.nianticbooks.home   → 10.0.10.27
vikunja.nianticbooks.home   → 10.0.10.27
dockge.nianticbooks.home    → 10.0.10.27

Or add a wildcard entry:

*.nianticbooks.home → 10.0.10.27

Alternatively, add to your local /etc/hosts (Linux/Mac) or C:\Windows\System32\drivers\etc\hosts (Windows):

10.0.10.27 sonarr.nianticbooks.home radarr.nianticbooks.home prowlarr.nianticbooks.home bazarr.nianticbooks.home deluge.nianticbooks.home calibre.nianticbooks.home vikunja.nianticbooks.home dockge.nianticbooks.home

Management Commands

View Caddy Logs

ssh root@10.0.10.3 "pct exec 127 -- docker logs caddy-internal -f"

Restart Caddy

ssh root@10.0.10.3 "pct exec 127 -- docker restart caddy-internal"

Update Caddyfile

# Edit on server
ssh root@10.0.10.3
pct exec 127 -- bash
cd /opt/caddy-internal
nano Caddyfile
docker restart caddy-internal

View Generated Certificates

ssh root@10.0.10.3 "pct exec 127 -- docker exec caddy-internal ls -la /data/caddy/certificates/local/"

What's Still Needed (Phase 2)

Step-CA ACME Integration

The current setup uses Caddy's internal PKI (self-signed certificates). For better integration with your existing Step-CA server, we need to:

  1. Fix CA Server Certificate: The Step-CA server certificate needs an IP SAN for 10.0.10.15
  2. Configure ACME Client: Update Caddy to use Step-CA ACME endpoint
  3. Trust Chain: Ensure Caddy trusts the Step-CA root certificate

Benefit: Single CA for the entire homelab instead of two separate CAs.

Services Still Needing SSL

Proxmox Hosts:

  • main-pve (10.0.10.3) - Already has SSL, needs CA-signed cert
  • pve-router (10.0.10.2) - Already has SSL, needs CA-signed cert
  • pve-storage (10.0.10.4) - Already has SSL, needs CA-signed cert

LXC Services:

  • Home Assistant (10.0.10.24) - Already has SSL, needs CA-signed cert
  • ⚠️ n8n (10.0.10.22) - HTTP only
  • ⚠️ Authentik (10.0.10.21) - HTTP only
  • ⚠️ Grafana (10.0.10.25) - HTTP only

VPS Caddy:

  • Update VPS Caddy to use internal CA for public services
  • Avoids "invalid certificate" warnings when accessing services remotely

Documentation

  • Update SERVICES.md with new HTTPS endpoints
  • Create quick-start guide for new devices
  • Add monitoring for certificate expiration

Scripts Created

  • scripts/deploy-ca-certificates.sh - Deploys homelab CA root to all containers
  • scripts/setup-internal-caddy.sh - Interactive Caddy deployment (not used - manual deployment preferred)

Troubleshooting

Certificate Warnings Still Appear

  1. Verify CA certificate is installed on client device
  2. Check that DNS resolves to 10.0.10.27
  3. Ensure you're using https:// (not http://)
  4. Clear browser cache and restart browser

Service Not Accessible

  1. Check Caddy is running: docker ps | grep caddy-internal
  2. Check Caddy logs: docker logs caddy-internal
  3. Verify backend service is running: docker ps or systemctl status <service>
  4. Check firewall rules on CT 127

Connection Refused

  • Caddy listens on port 443 only (no port 80)
  • Ensure you're using HTTPS URLs
  • Verify Caddy container is in host network mode

Security Considerations

Current State:

  • All internal traffic encrypted
  • CA certificates properly distributed
  • ⚠️ Using Caddy internal PKI (self-signed) instead of Step-CA

Recommendations:

  • Install CA certificate on all client devices immediately
  • Do NOT expose Caddy internal proxy ports publicly (internal use only)
  • Regularly update Caddy container for security patches

Next Steps

  1. Immediate: Install Caddy CA certificate on your primary devices
  2. Short-term: Add DNS entries or hosts file entries
  3. Medium-term: Migrate from Caddy internal PKI to Step-CA ACME
  4. Long-term: Add remaining services (n8n, Authentik, Grafana) to HTTPS

Deployment Completed By: Fred (with Claude Code) Last Updated: 2026-01-25 Status: Phase 1 Complete - Services accessible via HTTPS with self-signed certificates

Reference in New Issue View Git Blame Copy Permalink