How to create free LetsEncrypt TLS/SSL certificates for your private home server

Typically, you can connect to your Plex/Emby/Jellyfin or whatever home server from your local network only. In the past, you had to create a local CA, issue custom certificates and make the CA known to all your clients if you wanted to use HTTPS — quite the hassle.

Recently I was talking to colleagues about this issue and was surprised they did not know about the DNS-01 protocol, which allows you to have LetsEncrypt issue certificates for servers that are not connected to the Internet.

I’m not going to explain in detail how that’s achieved, but some pointers are in order.

Client

I’m using acme.sh. By default it uses ZeroSSL instead of LetsEncrypt, for whatever reason. ZeroSSL is fine I guess, however if you want to use LetsEncrypt, you’d have to switch manually before letting acme.sh issue a certificate.

Pro Tip: Double-check that acme.sh has indeed switched. Last time I switched it was a bit fincky.

DNS

The easiest way is to use an existing domain or buy a domain for a couple of bucks per year from a DNS provider that offers a DNS API. A list of supported providers is available from acme.sh.

If your DNS provider does not provide API access you could try DNS alias mode.

Pros and Cons

Pros Cons
  • Free certificate
  • All your clients know the CA already
  • Even if you decide to connect your home server to the Internet the clients would know the CA
  • Renewals can be automated easily
  • Your server has a public DNS record, even if it is private and not connected to the Internet. Better choose an innocuous name for your private server!
  • Not every DNS provider offers an API

Posted

in

by