homelab-docs/infrastructure/LOCAL-HTTPS-QUICKSTART.md

Local HTTPS Quick Start Guide

Get all your homelab services running on HTTPS in ~30 minutes.

What This Does

Converts all your internal services from HTTP to HTTPS:

• ✅ Home Assistant (bob.nianticbooks.home)
• ✅ AD5M 3D Printer (ad5m.nianticbooks.home)
• ✅ Dockge (dockge.nianticbooks.home)
• ✅ Proxmox Web UI (freddesk.nianticbooks.home)
• ✅ OpenMediaVault (omv.nianticbooks.home)

Prerequisites

• SSH access to main-pve (10.0.10.3) as root
• DNS entries configured in UCG Ultra for all services
• ~2GB free space on main-pve

Step-by-Step Instructions

1. Set Up Certificate Authority (10 min)

SSH into main-pve and run the setup script:

# From this computer
scp ~/projects/infrastructure/scripts/setup-local-ca.sh root@10.0.10.3:/root/

# SSH into main-pve
ssh root@10.0.10.3

# Run setup
cd /root
chmod +x setup-local-ca.sh
./setup-local-ca.sh

What it does:

• Creates LXC container at 10.0.10.15
• Installs step-ca (Certificate Authority software)
• Initializes CA with 10-year root certificate
• Starts CA service

You'll be prompted for:

• CA password (save this in your password manager!)
• Container root password

2. Issue Certificates for All Services (5 min)

Still on main-pve:

# Copy and run certificate generation script
scp ~/projects/infrastructure/scripts/issue-service-certs.sh root@10.0.10.3:/root/

# On main-pve
chmod +x issue-service-certs.sh
./issue-service-certs.sh

What it does:

• Generates SSL certificates for all services
• Saves them to /tmp/certs/ on main-pve

Output:

/tmp/certs/
├── bob.nianticbooks.home.crt
├── bob.nianticbooks.home.key
├── ad5m.nianticbooks.home.crt
├── ad5m.nianticbooks.home.key
└── ... (other services)

3. Configure Each Service (15 min)

Home Assistant (bob.nianticbooks.home)

# On main-pve, copy certs to Home Assistant
scp /tmp/certs/bob.nianticbooks.home.* root@10.0.10.24:/config/ssl/

# SSH into Home Assistant
ssh root@10.0.10.24

# Edit configuration
nano /config/configuration.yaml

Add/update:

http:
  ssl_certificate: /config/ssl/bob.nianticbooks.home.crt
  ssl_key: /config/ssl/bob.nianticbooks.home.key
  server_port: 8123

Restart Home Assistant:

# From HA CLI
ha core restart

# Or restart container/VM from Proxmox

Test: https://bob.nianticbooks.home:8123

AD5M Printer (Fluidd/Klipper)

# Copy certs to printer
scp /tmp/certs/ad5m.nianticbooks.home.* root@10.0.10.30:/etc/nginx/ssl/

# SSH into printer
ssh root@10.0.10.30

# Create nginx HTTPS config
cat > /etc/nginx/sites-available/fluidd-https <<'EOF'
server {
    listen 443 ssl http2;
    server_name ad5m.nianticbooks.home;

    ssl_certificate /etc/nginx/ssl/ad5m.nianticbooks.home.crt;
    ssl_certificate_key /etc/nginx/ssl/ad5m.nianticbooks.home.key;

    # SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass http://127.0.0.1:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # WebSocket support for Moonraker
    location /websocket {
        proxy_pass http://127.0.0.1:7125/websocket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
    }
}

# Redirect HTTP to HTTPS
server {
    listen 80;
    server_name ad5m.nianticbooks.home;
    return 301 https://$server_name$request_uri;
}
EOF

# Enable site
ln -sf /etc/nginx/sites-available/fluidd-https /etc/nginx/sites-enabled/
nginx -t
systemctl restart nginx

Test: https://ad5m.nianticbooks.home

Update printer UI setting to: https://ad5m.nianticbooks.home/fluidd

Dockge

# Copy certs
scp /tmp/certs/dockge.nianticbooks.home.* root@10.0.10.27:/opt/dockge/ssl/

# Edit docker-compose.yml to add SSL

Add environment variables:

environment:
  - SSL_KEY=/app/ssl/dockge.nianticbooks.home.key
  - SSL_CERT=/app/ssl/dockge.nianticbooks.home.crt

Or use nginx reverse proxy (recommended).

Proxmox (freddesk.nianticbooks.home)

# On main-pve
cp /tmp/certs/freddesk.nianticbooks.home.crt /etc/pve/local/pveproxy-ssl.pem
cp /tmp/certs/freddesk.nianticbooks.home.key /etc/pve/local/pveproxy-ssl.key

# Restart Proxmox web service
systemctl restart pveproxy

Test: https://freddesk.nianticbooks.home:8006

OpenMediaVault

# Copy certs to OMV
scp /tmp/certs/omv.nianticbooks.home.* root@10.0.10.5:/etc/ssl/

# Configure via OMV Web UI:
# System → Certificates → SSL → Import
# Then: System → General Settings → Enable SSL/TLS, select certificate

4. Trust the CA on Your Devices (5 min)

This Computer (Linux)

cd ~/projects/infrastructure/scripts
./trust-ca-client.sh

Other Linux Computers

# Copy script and run
scp scripts/trust-ca-client.sh user@other-computer:/tmp/
ssh user@other-computer "bash /tmp/trust-ca-client.sh"

Windows

1. Copy root CA from main-pve:

   scp root@10.0.10.3:/tmp/homelab-root-ca.crt ~/Downloads/
   

2. On Windows:

   • Copy file to Windows machine
   • Right-click → Install Certificate
   • Store Location: Local Machine
   • Certificate Store: Trusted Root Certification Authorities
   • Click Finish

macOS

# Copy certificate
scp root@10.0.10.3:/tmp/homelab-root-ca.crt ~/Downloads/

# Install (will prompt for password)
sudo security add-trusted-cert -d -r trustRoot \
  -k /Library/Keychains/System.keychain \
  ~/Downloads/homelab-root-ca.crt

iOS

1. Email the certificate to yourself or host on a web server
2. Open the certificate file on iOS device
3. Settings → General → VPN & Device Management → Install profile
4. Settings → General → About → Certificate Trust Settings
5. Enable full trust for "Homelab Internal CA"

Android

1. Transfer certificate to device
2. Settings → Security → Install from storage
3. Select the certificate file
4. Name it "Homelab CA"

Verification

Test all services with HTTPS:

# From any trusted computer
curl -I https://bob.nianticbooks.home:8123
curl -I https://ad5m.nianticbooks.home
curl -I https://freddesk.nianticbooks.home:8006
curl -I https://omv.nianticbooks.home

Open in browser - you should see no certificate warnings.

Troubleshooting

Certificate not trusted

# Check if CA is installed
ls /usr/local/share/ca-certificates/ | grep homelab

# Re-run trust script
cd ~/projects/infrastructure/scripts
./trust-ca-client.sh

Service won't start with HTTPS

# Check certificate files exist
ls -la /path/to/ssl/

# Check permissions
chmod 644 /path/to/cert.crt
chmod 600 /path/to/cert.key

# Check service logs
journalctl -u service-name -f

Certificate expired (after 1 year)

# Re-run certificate issuance
ssh root@10.0.10.3
./issue-service-certs.sh

# Re-deploy to services

Certificate Renewal

Certificates are valid for 1 year. Set a calendar reminder to renew them annually:

# On main-pve
./issue-service-certs.sh
# Then re-deploy to each service

Or set up auto-renewal (see full documentation in LOCAL-CA-SETUP.md).

Next Steps

Once HTTPS is working:

1. Update Pangolin routes on VPS to use HTTPS backends
2. Configure HTTP → HTTPS redirects
3. Update bookmarks to use https://
4. Update Home Assistant app to use HTTPS URL

Files Created

• /tmp/homelab-root-ca.crt - Root CA certificate (install on all devices)
• /tmp/certs/*.crt - Service certificates
• /tmp/certs/*.key - Private keys (keep secure!)

Security Notes

• Root CA is valid for 10 years
• Service certificates valid for 1 year
• Private keys stored only on CA server and target services
• CA server only accessible from local network (10.0.10.0/24)

Support

Full documentation: LOCAL-CA-SETUP.md Troubleshooting: Check service logs and certificate validity

---

Time Estimate: 30-45 minutes for complete setup Difficulty: Intermediate Impact: All services accessible via trusted HTTPS