Typically, you can connect to your Plex/Emby/Jellyfin or whatever home server from your local network only. In the past, you had to create a local CA, issue custom certificates and make the CA known to all your clients if you wanted to use HTTPS — quite the hassle.
Recently I was talking to colleagues about this issue and was surprised they did not know about the DNS-01 protocol, which allows you to have LetsEncrypt issue certificates for servers that are not connected to the Internet.
I’m not going to explain in detail how that’s achieved, but some pointers are in order.
Client
I’m using acme.sh. By default it uses ZeroSSL instead of LetsEncrypt, for whatever reason. ZeroSSL is fine I guess, however if you want to use LetsEncrypt, you’d have to switch manually before letting acme.sh issue a certificate.
Pro Tip: Double-check that acme.sh has indeed switched. Last time I switched it was a bit fincky.
DNS
The easiest way is to use an existing domain or buy a domain for a couple of bucks per year from a DNS provider that offers a DNS API. A list of supported providers is available from acme.sh.
If your DNS provider does not provide API access you could try DNS alias mode.
Pros and Cons
| Pros | Cons |
|---|---|
|
|