fred/homelab-docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dc8cbf127cc8e7eeb8014bd559aa766262666e6e
homelab-docs/infrastructure/CA-DEPLOYMENT-SUMMARY.md

232 lines
7.6 KiB
Markdown
Raw Blame History

# CA Certificate Deployment Summary
**Deployment Date:** 2026-01-25
**Deployment Status:** ✅ Complete - Phase 1
## What Was Deployed
### 1. Homelab Internal CA Root Certificate Distribution
The internal CA root certificate from your Step-CA server (10.0.10.15, CT 115) has been installed on:
#### LXC Containers
- ✅ CT 102 - PostgreSQL (10.0.10.20)
- ✅ CT 106 - n8n (10.0.10.22)
- ✅ CT 127 - Dockge (10.0.10.27)
- ✅ CT 128 - Uptime Kuma (10.0.10.26)
- ⚠️ CT 104 - Authentik (10.0.10.21) - Not running during deployment
#### Proxmox Hosts
- ✅ main-pve (10.0.10.3)
- ✅ pve-router (10.0.10.2)
- ✅ pve-storage (10.0.10.4)
#### VPS
- ✅ 66.63.182.168 (vps.nianticbooks.com)
**Location:** `/usr/local/share/ca-certificates/homelab-ca.crt` on all systems
### 2. Internal HTTPS Reverse Proxy Deployment
**Service:** Caddy Internal Proxy
**Location:** Docker container on CT 127 (10.0.10.27)
**Container Name:** caddy-internal
**Configuration:** `/opt/caddy-internal/` on CT 127
#### Services Now Available via HTTPS
All services are accessible at `https://<service>.nianticbooks.home`:
| Service | HTTPS URL | Backend Port |
|---------|-----------|--------------|
| Sonarr | https://sonarr.nianticbooks.home | 8989 |
| Radarr | https://radarr.nianticbooks.home | 7878 |
| Prowlarr | https://prowlarr.nianticbooks.home | 9696 |
| Bazarr | https://bazarr.nianticbooks.home | 6767 |
| Deluge | https://deluge.nianticbooks.home | 8112 |
| Calibre-Web | https://calibre.nianticbooks.home | 8083 |
| Vikunja | https://vikunja.nianticbooks.home | 3456 |
| Dockge | https://dockge.nianticbooks.home | 5001 |
**Certificate Type:** Caddy Internal PKI (self-signed)
**Certificate Authority:** Caddy Local Authority - 2026 ECC Root
## Client Configuration Required
To access these services without certificate warnings, you need to install the Caddy Internal CA certificate on your client devices.
### CA Certificate Location
The Caddy internal root CA certificate is saved at:
- **Infrastructure Repo:** `~/projects/infrastructure/Caddy-Internal-Root-CA.crt`
- **On Server:** Extract with `docker exec caddy-internal cat /data/caddy/pki/authorities/local/root.crt`
### Installation Instructions
#### Windows
1. Download `Caddy-Internal-Root-CA.crt` from the infrastructure repo
2. Double-click the certificate file
3. Click "Install Certificate"
4. Select "Local Machine" (requires admin)
5. Choose "Place all certificates in the following store"
6. Click "Browse" and select "Trusted Root Certification Authorities"
7. Click "Next" and "Finish"
#### Linux/WSL
```bash
sudo cp Caddy-Internal-Root-CA.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
```
#### macOS
```bash
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain Caddy-Internal-Root-CA.crt
```
#### Firefox (All Platforms)
Firefox uses its own certificate store:
1. Open Firefox Settings → Privacy & Security → Certificates → View Certificates
2. Click "Authorities" tab → "Import"
3. Select `Caddy-Internal-Root-CA.crt`
4. Check "Trust this CA to identify websites"
5. Click OK
## DNS Configuration
For the `.nianticbooks.home` domains to resolve, add to your DNS server (UCG Ultra DHCP/DNS):
```
sonarr.nianticbooks.home → 10.0.10.27
radarr.nianticbooks.home → 10.0.10.27
prowlarr.nianticbooks.home → 10.0.10.27
bazarr.nianticbooks.home → 10.0.10.27
deluge.nianticbooks.home → 10.0.10.27
calibre.nianticbooks.home → 10.0.10.27
vikunja.nianticbooks.home → 10.0.10.27
dockge.nianticbooks.home → 10.0.10.27
```
Or add a wildcard entry:
```
*.nianticbooks.home → 10.0.10.27
```
Alternatively, add to your local `/etc/hosts` (Linux/Mac) or `C:\Windows\System32\drivers\etc\hosts` (Windows):
```
10.0.10.27 sonarr.nianticbooks.home radarr.nianticbooks.home prowlarr.nianticbooks.home bazarr.nianticbooks.home deluge.nianticbooks.home calibre.nianticbooks.home vikunja.nianticbooks.home dockge.nianticbooks.home
```
## Management Commands
### View Caddy Logs
```bash
ssh root@10.0.10.3 "pct exec 127 -- docker logs caddy-internal -f"
```
### Restart Caddy
```bash
ssh root@10.0.10.3 "pct exec 127 -- docker restart caddy-internal"
```
### Update Caddyfile
```bash
# Edit on server
ssh root@10.0.10.3
pct exec 127 -- bash
cd /opt/caddy-internal
nano Caddyfile
docker restart caddy-internal
```
### View Generated Certificates
```bash
ssh root@10.0.10.3 "pct exec 127 -- docker exec caddy-internal ls -la /data/caddy/certificates/local/"
```
## What's Still Needed (Phase 2)
### Step-CA ACME Integration
The current setup uses Caddy's internal PKI (self-signed certificates). For better integration with your existing Step-CA server, we need to:
1. **Fix CA Server Certificate:** The Step-CA server certificate needs an IP SAN for 10.0.10.15
2. **Configure ACME Client:** Update Caddy to use Step-CA ACME endpoint
3. **Trust Chain:** Ensure Caddy trusts the Step-CA root certificate
**Benefit:** Single CA for the entire homelab instead of two separate CAs.
### Services Still Needing SSL
**Proxmox Hosts:**
- ✅ main-pve (10.0.10.3) - Already has SSL, needs CA-signed cert
- ✅ pve-router (10.0.10.2) - Already has SSL, needs CA-signed cert
- ✅ pve-storage (10.0.10.4) - Already has SSL, needs CA-signed cert
**LXC Services:**
- ✅ Home Assistant (10.0.10.24) - Already has SSL, needs CA-signed cert
- ⚠️ n8n (10.0.10.22) - HTTP only
- ⚠️ Authentik (10.0.10.21) - HTTP only
- ⚠️ Grafana (10.0.10.25) - HTTP only
**VPS Caddy:**
- Update VPS Caddy to use internal CA for public services
- Avoids "invalid certificate" warnings when accessing services remotely
### Documentation
- [ ] Update SERVICES.md with new HTTPS endpoints
- [ ] Create quick-start guide for new devices
- [ ] Add monitoring for certificate expiration
## Scripts Created
- **`scripts/deploy-ca-certificates.sh`** - Deploys homelab CA root to all containers
- **`scripts/setup-internal-caddy.sh`** - Interactive Caddy deployment (not used - manual deployment preferred)
## Troubleshooting
### Certificate Warnings Still Appear
1. Verify CA certificate is installed on client device
2. Check that DNS resolves to 10.0.10.27
3. Ensure you're using `https://` (not `http://`)
4. Clear browser cache and restart browser
### Service Not Accessible
1. Check Caddy is running: `docker ps | grep caddy-internal`
2. Check Caddy logs: `docker logs caddy-internal`
3. Verify backend service is running: `docker ps` or `systemctl status <service>`
4. Check firewall rules on CT 127
### Connection Refused
- Caddy listens on port 443 only (no port 80)
- Ensure you're using HTTPS URLs
- Verify Caddy container is in `host` network mode
## Security Considerations
**Current State:**
- ✅ All internal traffic encrypted
- ✅ CA certificates properly distributed
- ⚠️ Using Caddy internal PKI (self-signed) instead of Step-CA
**Recommendations:**
- Install CA certificate on all client devices immediately
- Do NOT expose Caddy internal proxy ports publicly (internal use only)
- Regularly update Caddy container for security patches
## Next Steps
1. **Immediate:** Install Caddy CA certificate on your primary devices
2. **Short-term:** Add DNS entries or hosts file entries
3. **Medium-term:** Migrate from Caddy internal PKI to Step-CA ACME
4. **Long-term:** Add remaining services (n8n, Authentik, Grafana) to HTTPS
---
**Deployment Completed By:** Fred (with Claude Code)
**Last Updated:** 2026-01-25
**Status:** ✅ Phase 1 Complete - Services accessible via HTTPS with self-signed certificates
Reference in New Issue View Git Blame Copy Permalink