Get secure domains without opening port 80 and 443

The initial problem

Hihi! Haven even tried to secure something that is LAN only? just for the sake or learning or either you don’t want to see the browser complaining about your site?

If that’s the case your probably already hear out about Let’s encrypt, they are a CA(Certificate Authority) which works to validate your certificates and accomplish a Chain of trust.

Now I love let’s encrypt and use it everywhere but since in this particular case I don’t want it to open my port 80,443 and give my public IP (since those are the requirements for them to issue you a certificate)

Workarounds

I tried other methods, the first one that I’ve come was self signed certificates. These work! But was the caveat? well you need to make sure each device trust that certificate, could be one of your browsers (if you use more than one) your phone, laptop, list goes on.

So that was not practical at all, more to think what about if someone comes into my place and I’ll say to them “Hey can you load my certificate on your device?” hell no haha.

My solution

Requirements

• Domain

• DNS service (route 53, cloudflare, etc)

This is not something that I came up myself, but I found that you could do a DNS challenge for Let’s encrypt and validate your identity that way, how can we accomplish that? well it depends and which kind of software you are using and where your domains are located.

In this example I’m going to use Nginx proxy manager + Cloudflare, if you are going to follow this example with the NPM, first make sure to have it up and running

I suggest you use the docker compose installation they had, after the installation you have to create and account and land on a dashboard like this

Now let’s head into SSL Certificates

Once we are here as you can see I’ll have mine already there, these certificates last for 3 months but I’ll show you how to renovate them later on :)

Now click on “Add SSL Certificate” and then “Let’s Encrypt”

First we need to choose a domain, enable the “Use a DNS Challenge” choose a provider and agree about the terms of service.

When selecting the DNS provider is going to ask us about a api token

We can obtain it from

On there we click on “Create Token” and choose the template “Edit zone DNS” were gonna use that token in the variable we saw before, but before saving that we need to create the DNS itself

The IP is the one where my NPM is (but doesn’t matter since is a private one)

Now go and save those changes and you should see the domain like myself :)

To renovate these you only need to click on the 3 dots and “Renew Now”

There you go, now you have a domain trusted on all of your devices for your LAN things without opening anything :)

DISCLAIMER:

You can open port 80,443 and request the cert each time you need it, but some ISP’s block those for security reasons so this is a workaround for some folks like me :)

End

Hope this works for you in case it wasn’t good enough here is a video about the topic :)

https://www.youtube.com/watch?v=qlcVx-k-02E

Have a great day!