fred/homelab-docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
homelab-docs/infrastructure/CA-WORK-IN-PROGRESS.md

154 lines
5.1 KiB
Markdown
Raw Permalink Blame History

# CA Integration Work - Status & Resume Guide
**Last Updated:** 2026-01-25
**Status:** Phase 1 Complete ✅ - Ready for Phase 2
## Quick Summary
You were concerned that your internal CA server (10.0.10.15, CT 115) wasn't being used by services, causing certificate warnings when accessing them remotely. We've completed Phase 1 of fixing this.
## What's Been Done ✅
### Phase 1: Internal HTTPS (Complete)
- ✅ Distributed homelab CA root cert to all containers, Proxmox hosts, and VPS
- ✅ Deployed Caddy reverse proxy on CT 127 with SSL termination
- ✅ All Docker services (Sonarr, Radarr, Prowlarr, Bazarr, Deluge, Calibre, Vikunja, Dockge) now have HTTPS
**Key Files:**
- [CA-DEPLOYMENT-SUMMARY.md](CA-DEPLOYMENT-SUMMARY.md) - Complete documentation
- [scripts/deploy-ca-certificates.sh](scripts/deploy-ca-certificates.sh) - Automation script
- Caddy config: `/opt/caddy-internal/Caddyfile` on CT 127
**Services:** All accessible at `https://<service>.nianticbooks.home`
**Caddy Container:**
- Running on CT 127 (10.0.10.27)
- Container name: `caddy-internal`
- Listens on port 443 (HTTPS only)
- Uses Caddy internal PKI (self-signed certificates)
## What You Still Need To Do
**Immediate (to remove browser warnings):**
1. Install CA certificate on your devices: `Caddy-Internal-Root-CA.crt` (in this directory)
- See CA-DEPLOYMENT-SUMMARY.md for platform-specific instructions
2. Add DNS entries or edit hosts file:
```
10.0.10.27 sonarr.nianticbooks.home radarr.nianticbooks.home prowlarr.nianticbooks.home ...
```
## What's Still Needed (Phase 2)
### High Priority
1. **Migrate to Step-CA ACME** (instead of Caddy internal PKI)
- Problem: CA server cert at 10.0.10.15 doesn't have IP SAN
- Solution: Regenerate CA server cert with IP SAN, or use DNS name
- Benefit: Single CA for entire homelab
2. **Add SSL to remaining services:**
- Home Assistant (10.0.10.24) - has SSL, needs CA-signed cert
- Proxmox hosts (10.0.10.2, 10.0.10.3, 10.0.10.4) - have SSL, need CA-signed certs
- n8n (10.0.10.22) - HTTP only
- Authentik (10.0.10.21) - HTTP only
- Grafana (10.0.10.25) - HTTP only
3. **Update VPS Caddy:**
- Configure VPS Caddy to use internal CA for public services
- Fixes cert warnings when accessing services from outside network
### Lower Priority
- Update SERVICES.md with new HTTPS endpoints
- Set up certificate expiration monitoring
- Add more services as needed
## How To Resume This Work
**To continue CA integration:**
```bash
cd ~/projects/infrastructure
# Review current state
cat CA-DEPLOYMENT-SUMMARY.md
cat CA-WORK-IN-PROGRESS.md # This file
# Check Caddy status
ssh root@10.0.10.3 "pct exec 127 -- docker logs caddy-internal"
# Continue with Phase 2 tasks above
```
**To modify Caddy configuration:**
```bash
ssh root@10.0.10.3
pct exec 127 -- bash
cd /opt/caddy-internal
nano Caddyfile
docker restart caddy-internal
```
**To add more services:**
1. Edit `/opt/caddy-internal/Caddyfile` on CT 127
2. Add new service block (see existing examples)
3. Restart: `docker restart caddy-internal`
4. Add DNS entry or hosts file entry
## Key Locations
**CA Certificates:**
- Homelab CA root: `/usr/local/share/ca-certificates/homelab-ca.crt` (on all systems)
- Caddy internal CA: Extract with `docker exec caddy-internal cat /data/caddy/pki/authorities/local/root.crt`
- Step-CA root: `/etc/step-ca/.step/certs/root_ca.crt` on CT 115
**Caddy Configuration:**
- Config directory: `/opt/caddy-internal/` on CT 127
- Caddyfile: `/opt/caddy-internal/Caddyfile`
- Docker compose: `/opt/caddy-internal/docker-compose.yml`
- Certificate storage: Inside container at `/data/caddy/certificates/local/`
**Services:**
- CA Server: 10.0.10.15 (CT 115) - ACME endpoint: https://10.0.10.15:8443/acme/acme/directory
- Caddy proxy: 10.0.10.27 (CT 127) - Port 443
## Problem Context (Why We Did This)
**Original Issue:**
- You have many Docker services with web UIs
- They were HTTP only, causing download/connection issues
- When accessed remotely through VPS Caddy, certificate warnings appeared
- Your internal CA server wasn't being utilized by services
**Solution Implemented:**
- Deployed SSL reverse proxy for all internal services
- Distributed CA certificates to trust the proxy
- Now all services have HTTPS with valid certificates (once CA cert installed on clients)
## Commands Reference
**View Caddy logs:**
```bash
ssh root@10.0.10.3 "pct exec 127 -- docker logs caddy-internal -f"
```
**Restart Caddy:**
```bash
ssh root@10.0.10.3 "pct exec 127 -- docker restart caddy-internal"
```
**Check listening ports:**
```bash
ssh root@10.0.10.3 "pct exec 127 -- ss -tlnp | grep caddy"
```
**Redeploy CA certificates (if needed):**
```bash
cd ~/projects/infrastructure
./scripts/deploy-ca-certificates.sh
```
---
**Git Commit:** `2418b48` - Deploy CA certificates and internal HTTPS reverse proxy
**Branch:** master
**Files Modified:** CA-DEPLOYMENT-SUMMARY.md, scripts/deploy-ca-certificates.sh, scripts/setup-internal-caddy.sh
Reference in New Issue View Git Blame Copy Permalink