You can use DNS01 for services not accessible from the outside. I use a caddy reverse proxy, with a wildcard cert for *.mydomain.com. caddy handles that for me automagically. Needed? Maybe not, but it’s a whole lot prettier, and I learned new things about certs and caddy :)

deleted by creator

I have my Firefox configured to force HTTPS, so it’s rather inconvenient to work with any non-HTTPS sites.

Because of that I decided to make my own CA. But since I’m running in Kubernetes and using cert-manager for certs, this was really easy. Add a resource for a self-singed issuer, issue a CA cert, then create an issuer based on that CA cert. 3 Kubernetes resources total: https://cert-manager.io/docs/configuration/ca/ and finally import the CA cert on your various devices.

However this can also be done using LetsEncrypt, with the DNS01 challenge. That way you don’t need to expose anything to the Internet, and you don’t need to import a CA on all of your devices. Any cert you issue will however appear in certificate transparency logs. So if you don’t want anyone to know that you are running a Sonarr instance, you shouldn’t issue a certificate with that in it’s name. A way around that is a wildcard cert. Which you can then apply to all your subservices without exposing the individual service in logs. The wildcard will still be visible in the logs though…

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

4 acronyms in this thread; the most compressed thread commented on today has 16 acronyms.

[Thread #176 for this comm, first seen 16th Mar 2026, 23:00] [FAQ] [Full list] [Contact] [Source code]

Look into DNS-01 challenge where instead of exposing 80/443, you obtain a cert by creating a TXT record for your domain. This requires your ACME client to support talking to your DNS provider’s API. For certbot they’re installable via plugins, for lego-acme many providers are included.

My DNS provider doesn’t have an API for setting DNS, which makes doing dns CNAME validation manual.

Therefore, what I do is:

• Have a public nginx server and point public DNS records to it, then generate certs against it
• Pull those certs to my internal nginx server in my lan
• Use pi.hole to set internal DNS records (so jellyfin.mydomain.com points to 10.10.110.23 within my network)

I had a Let’s Encrypt for an internal domain for a while. It was a wildcard subdomain of one of my external domains. *.x.y.com I created it by setting up a temp webserver and creating it from there. I ran into internal issues because I also had hairpinning for some services and not others.

Alternatively, you could do your own CA with something like EasyCA. You’d have to add the CA cert to all devices, but once you do, you have full control to create any certs you want.

Https is pretty trivial to deploy so I would personally set it up

My router has Caddy to reverse proxy all http sites which uses a certificate it gets from let’s encrypt.

@gblues If you use something like yggdrasil, you don’t need to bother w/ ssl certs. Just make sure your services are listening on the yggdrasil-specific IPv6 port only, and whenever you connect to one over plain http:// you’re guaranteed to have an encrypted, verified connection.