#stepca — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #stepca, aggregated by home.social.
-
Been a while since I blogged, so it's time for the latest installment in "Edd massively over-complicates things with SSH certificates" This time, a post about how I got rid of the need to create a new sub account on my #Hetzner Storage Box every time I wanted to create a new VM and back it up with #Borg. Definitely easier ways to have achieved it, but it shows of the versatility of ssh certificates, and #StepCA that's powering them in my home lab.
-
Been a while since I blogged, so it's time for the latest installment in "Edd massively over-complicates things with SSH certificates" This time, a post about how I got rid of the need to create a new sub account on my #Hetzner Storage Box every time I wanted to create a new VM and back it up with #Borg. Definitely easier ways to have achieved it, but it shows of the versatility of ssh certificates, and #StepCA that's powering them in my home lab.
-
Been a while since I blogged, so it's time for the latest installment in "Edd massively over-complicates things with SSH certificates" This time, a post about how I got rid of the need to create a new sub account on my #Hetzner Storage Box every time I wanted to create a new VM and back it up with #Borg. Definitely easier ways to have achieved it, but it shows of the versatility of ssh certificates, and #StepCA that's powering them in my home lab.
-
Been a while since I blogged, so it's time for the latest installment in "Edd massively over-complicates things with SSH certificates" This time, a post about how I got rid of the need to create a new sub account on my #Hetzner Storage Box every time I wanted to create a new VM and back it up with #Borg. Definitely easier ways to have achieved it, but it shows of the versatility of ssh certificates, and #StepCA that's powering them in my home lab.
-
Been a while since I blogged, so it's time for the latest installment in "Edd massively over-complicates things with SSH certificates" This time, a post about how I got rid of the need to create a new sub account on my #Hetzner Storage Box every time I wanted to create a new VM and back it up with #Borg. Definitely easier ways to have achieved it, but it shows of the versatility of ssh certificates, and #StepCA that's powering them in my home lab.
-
Was soll ich sagen ...
Wieder 2 Tage Lebenszeit verschwendet und kein Schritt vorwärts. Zwar läuft #StepCA scheinbar korrekt im LXC (per #CommunityScript erzeugt), aber ich bekomme weder manuell ein #SSL raus noch per #ACME Anfrage.Blöd ist halt, dass immer mehr (lokale) Tools ohne SSL eben nicht sauber funktionieren wollen/können.
Wenn das so weiter geht muss ich das #selfhosting wieder abschaffen, denn irgendwann brauche ich mal was Funktionierendes ... -
Was soll ich sagen ...
Wieder 2 Tage Lebenszeit verschwendet und kein Schritt vorwärts. Zwar läuft #StepCA scheinbar korrekt im LXC (per #CommunityScript erzeugt), aber ich bekomme weder manuell ein #SSL raus noch per #ACME Anfrage.Blöd ist halt, dass immer mehr (lokale) Tools ohne SSL eben nicht sauber funktionieren wollen/können.
Wenn das so weiter geht muss ich das #selfhosting wieder abschaffen, denn irgendwann brauche ich mal was Funktionierendes ... -
Was soll ich sagen ...
Wieder 2 Tage Lebenszeit verschwendet und kein Schritt vorwärts. Zwar läuft #StepCA scheinbar korrekt im LXC (per #CommunityScript erzeugt), aber ich bekomme weder manuell ein #SSL raus noch per #ACME Anfrage.Blöd ist halt, dass immer mehr (lokale) Tools ohne SSL eben nicht sauber funktionieren wollen/können.
Wenn das so weiter geht muss ich das #selfhosting wieder abschaffen, denn irgendwann brauche ich mal was Funktionierendes ... -
Was soll ich sagen ...
Wieder 2 Tage Lebenszeit verschwendet und kein Schritt vorwärts. Zwar läuft #StepCA scheinbar korrekt im LXC (per #CommunityScript erzeugt), aber ich bekomme weder manuell ein #SSL raus noch per #ACME Anfrage.Blöd ist halt, dass immer mehr (lokale) Tools ohne SSL eben nicht sauber funktionieren wollen/können.
Wenn das so weiter geht muss ich das #selfhosting wieder abschaffen, denn irgendwann brauche ich mal was Funktionierendes ... -
Ich glaube ich brauch mal das geballte Wissen der #Homelab Nerds ... 😉
Ich habe hier zuhause schon einige Server, Tools & Co zum Laufen gebracht. Mal zum Testen und oft auch im Produktivbetrieb.
Aber seit Monaten und mit mittlerweile locker 5-10 Anläufen schaffe ich es partout nicht, mit #StepCA meine lokalen #SSL Zertifikate zu realisieren.
Ich renne von Fehler in Fehler - trotz PVE CommunityScripts ...Wie war das bei euch? Hat es gut geklappt? Wo waren Knackpunkte?
-
Ich glaube ich brauch mal das geballte Wissen der #Homelab Nerds ... 😉
Ich habe hier zuhause schon einige Server, Tools & Co zum Laufen gebracht. Mal zum Testen und oft auch im Produktivbetrieb.
Aber seit Monaten und mit mittlerweile locker 5-10 Anläufen schaffe ich es partout nicht, mit #StepCA meine lokalen #SSL Zertifikate zu realisieren.
Ich renne von Fehler in Fehler - trotz PVE CommunityScripts ...Wie war das bei euch? Hat es gut geklappt? Wo waren Knackpunkte?
-
Ich glaube ich brauch mal das geballte Wissen der #Homelab Nerds ... 😉
Ich habe hier zuhause schon einige Server, Tools & Co zum Laufen gebracht. Mal zum Testen und oft auch im Produktivbetrieb.
Aber seit Monaten und mit mittlerweile locker 5-10 Anläufen schaffe ich es partout nicht, mit #StepCA meine lokalen #SSL Zertifikate zu realisieren.
Ich renne von Fehler in Fehler - trotz PVE CommunityScripts ...Wie war das bei euch? Hat es gut geklappt? Wo waren Knackpunkte?
-
Ich glaube ich brauch mal das geballte Wissen der #Homelab Nerds ... 😉
Ich habe hier zuhause schon einige Server, Tools & Co zum Laufen gebracht. Mal zum Testen und oft auch im Produktivbetrieb.
Aber seit Monaten und mit mittlerweile locker 5-10 Anläufen schaffe ich es partout nicht, mit #StepCA meine lokalen #SSL Zertifikate zu realisieren.
Ich renne von Fehler in Fehler - trotz PVE CommunityScripts ...Wie war das bei euch? Hat es gut geklappt? Wo waren Knackpunkte?
-
Ich glaube ich brauch mal das geballte Wissen der #Homelab Nerds ... 😉
Ich habe hier zuhause schon einige Server, Tools & Co zum Laufen gebracht. Mal zum Testen und oft auch im Produktivbetrieb.
Aber seit Monaten und mit mittlerweile locker 5-10 Anläufen schaffe ich es partout nicht, mit #StepCA meine lokalen #SSL Zertifikate zu realisieren.
Ich renne von Fehler in Fehler - trotz PVE CommunityScripts ...Wie war das bei euch? Hat es gut geklappt? Wo waren Knackpunkte?
-
@owen I don’t find it that bad with #stepca. It’s not exactly trivial, but it’s possible. If more things I run — or want to run — had a “step” client or #acme (and not just support for #LetsEncrypt), it would be much easier.
-
@owen I don’t find it that bad with #stepca. It’s not exactly trivial, but it’s possible. If more things I run — or want to run — had a “step” client or #acme (and not just support for #LetsEncrypt), it would be much easier.
-
@owen I don’t find it that bad with #stepca. It’s not exactly trivial, but it’s possible. If more things I run — or want to run — had a “step” client or #acme (and not just support for #LetsEncrypt), it would be much easier.
-
@owen I don’t find it that bad with #stepca. It’s not exactly trivial, but it’s possible. If more things I run — or want to run — had a “step” client or #acme (and not just support for #LetsEncrypt), it would be much easier.
-
@owen I don’t find it that bad with #stepca. It’s not exactly trivial, but it’s possible. If more things I run — or want to run — had a “step” client or #acme (and not just support for #LetsEncrypt), it would be much easier.
-
@Larvitz How is Step CA? Are you coming from another CA solution?
Been thinking about running #stepca in my #kubernetes cluster, but have been apprehensive because of how many features seem to be gated behind smallstep's proprietary version. Would love to have this integrated with #certmanager and using the #tpm on my nodes. Was going to do a rearchitecting of my entire #auth and #cryptography stack when I switch from the deprecated #Ingress API to the #GatewayAPI
-
@Larvitz How is Step CA? Are you coming from another CA solution?
Been thinking about running #stepca in my #kubernetes cluster, but have been apprehensive because of how many features seem to be gated behind smallstep's proprietary version. Would love to have this integrated with #certmanager and using the #tpm on my nodes. Was going to do a rearchitecting of my entire #auth and #cryptography stack when I switch from the deprecated #Ingress API to the #GatewayAPI
-
@Larvitz How is Step CA? Are you coming from another CA solution?
Been thinking about running #stepca in my #kubernetes cluster, but have been apprehensive because of how many features seem to be gated behind smallstep's proprietary version. Would love to have this integrated with #certmanager and using the #tpm on my nodes. Was going to do a rearchitecting of my entire #auth and #cryptography stack when I switch from the deprecated #Ingress API to the #GatewayAPI
-
Oh wow! I had some weird stuff in the GatewayAPI config for HTTP to HTTPS redirect which was blocking ACME.
Now I have CertManager correctly issuing certificates from my private StepCA, using the http01 solver behind GatewayAPI! Blog coming (eventually). 🎉
#HomeLab #GatewayAPI #Kubernetes #CertManager #StepCA #TalosLinux
-
Безопасность на новом уровне: исследование Smallstep CA и его применение
Рассмотрим Smallstep CA — современное и инновационное решение для управления сертификатами. Оно может предложить несколько преимуществ по сравнению с OpenSSL.
https://habr.com/ru/companies/magnit/articles/816095/
#certification_authority #freeipa #stepca #сертификаты #magnit_tech
-
What a project. Did configure StepCA in my home-lab with a real physical HSM for the CA's private key. Using a SmartcardHSM (https://www.smartcard-hsm.com) from CardContact Systems.
Now I have acme (automated cert provisioning) working internally as long as the HSM is plugged into my server.
All running in an isolated FreeBSD 15-RELEASE jail (StepCA compiled from source with added PCSC-Lite support and usb device passed through by devfs rules).
Yay! It works!
#freebsd #stepca #devops #acme #certificates #tls #smartcard #hsm
-
My ACME certificates generated by step-ca don't have a "subject" but they have SANs. Unfortunately, OpenVPN seens to require a subject to work.
-
There's our own local #nextcloud stack running featuring #collabora online and family's impressed so far. #stepca issues the #certs. The #cookbook #app is also nice btw! Next stop trying #AI with #NextcloudAssistant and test other nice things. Since my i3 is operating on it's limits right now, I've purchased an #refurbished #lenovo #thinkcenter core i7 with 16GB RAM being our third #docker host. 💪 #selfhosting #homelab #opensource
-
My homelab is now using NRPE with TLS thanks to the private PKI I deployed this week-end.
-
Achievement unlocked 🔓
My homelab has now valid internal TLS certificates automatically renewed by certbot on a step-ca server.
-
Step CA configured with PostgreSQL backend and the ACME provider in my homelab. Clients trust the CA. Next steps: configure certbot and add monitoring to check certificates expiration.
-
I have been managing my own CA for NRPE and OpenVPN by hand but I always forget how to (re)generate the certificates. I'll give step-ca a try this weekend and follow the @jwildeboer blog post https://jan.wildeboer.net/2025/07/letsencrypt-homelab-stepca/
#homelab #selhosting #stepca -
My new homelab has progressed. I now have SmallStep CA running, with ACME enabled, and InfluxDB 3 with Grafana.
Its not much but it is a start.
-
When all parts come together ;) I now have S3 compatible storage with #garage in my homelab, using #nginx as reverse proxy and secured with a certificate from my own #StepCA based CA (Certificate Authority) that gets auto-renewed by #certbot. And this all works without any internet connection, as I also have a DNS server for my home network with the correct CNAME entry for s3.
-
(due to a snafu, this is a re-post)
New blog post! After reading @mmeier's blog post about monitoring his Kubernetes cluster certificates, I decided to take a look at how this is done with Talos, and learned a lot from it. You can read my solution in my blog post, as well as Michael's (which I link in my post, and also below in this thread.
#HomeLab #TalosLinux #StepCA #Certificates #Kubernetes #Blog @homelab
https://mteixeira.wordpress.com/2025/12/07/monitoring-the-kubernetes-certificates-on-a-talos-cluster/ -
I am also a bit proud that I managed to replicate my own little letsencrypt for my homelab using #stepca [1]. My homelab machines also get and renew their certificates with certbot from my own CA (Certificate Authority) automagically. I just checked and yes, they renewed a few days ago without any problem. Yay!
[1] https://jan.wildeboer.net/2025/07/letsencrypt-homelab-stepca/
-
Have my #stepca working, and certs for imap installed. However, they are not working on iOS and i suspect it’s because iphone cert policies don’t like root certs with 10 year life spans. Works in MacOS just fine.
-
Petite doc sur l'installation d'une autorité de certification en ligne, locale et open-source #stepca et génération de certificats en s'appuyant sur le protocole ACME avec #certbot #Traefik et #Proxmox VE.
https://doc.quercylibre.fr/Securit%C3%A9/Step-CA/01-installation/
-
@cmalloc @seism0saurus Im Homelab läuft auch #StepCA, allerdings auch noch manuell. Läuft einwandfrei.
-
Опыты в домашней лаборатории: собственный Let's Encrypt в OpenWRT
Углубляясь в тему DevOps в своей домашней лаборатории, я начал замечать, что зачастую проще задействовать TLS/mTLS, чем настраивать и отлаживать способы обойтись без него. Задумавшись о надежном хостинге для приватного CA, обнаружил, что среди всего моего электрооборудования только у двух приборов аптайм близок к 100%: у холодильника и интернет-роутера. Идея получать из холодильника не только напитки, но и SSL-сертификаты так грела душу, что я почти начал искать, где купить умный холодильник. Потом немного остыл и решил сначала попробовать роутер с прошивкой OpenWRT.
https://habr.com/ru/articles/827206/
#openwrt #arm64 #selfhosted #let's_encrypt #acme #x509 #tls #certificate_authority #stepca #sslсертификаты
-
New #blog post! Check out this great app that automatically scans your #Docker Compose file, proxies all your services behind #Caddy, and requests TLS certificates for all of them using a private CA (#StepCA). The cherry on top is getting #HomeAssistant behind the proxy, and secure!
#HomeLab #SelfHosted
https://mteixeira.wordpress.com/2024/04/12/proxying-apps-behind-caddy-with-certs-from-private-ca-using-home-assistant-as-example/ -
One of the best services I brought up for my #HomeLab sanity was this #Caddy container that reads my #Docker compose declarations and requests SSL certificates for the services against my private #StepCA server. Makes life soooo much easier to add web encryption to everything #SelfHosted.
https://github.com/lucaslorentz/caddy-docker-proxy -
Great! #UptimeKuma helped me realize that I have incorrectly set up one web server in my #HomeLab, because I messed up the HTTP to HTTPS redirection and #Certbot was unable to renew a cert from my private #StepCA. Yep, the extra work for adding monitoring is worth it's price. 😄 👍
-
New #blog posted! Check out how you can run your own private #StepCA #CertificateAuthority with #ACME and #Certbot totally private, disconnected from the internet. Run your own #LetsEncrypt at home!
#HomeLab #Security
https://mteixeira.wordpress.com/2024/03/03/running-your-private-certificate-authority-with-acme-support/ -
And, after some hard work, and a few struggles with #Docker, #DNS and #Firewall rules, I finally have been able to install #StepCA from #SmallStep on my #HomeLab, so now I have a nice private #CertificateAuthority with which I can use #Certbot to manage my service certificates in a #LetsEncrypt style. Took a lot of notes. Blog post will come eventually! (too tired right now)
https://smallstep.com/docs/step-ca/ -
Of course, now that I’ve laboriously set up my #homelab #StepCA #CertificateAuthority, I am finding that #Pfsense and the #TrueNASScale #TrueCharts apps for #Traefik and #CertManager don’t integrate easily via #ACME custom servers or otherwise. 🤦♂️
-
Happy that I’ve successfully set up my own local #homelab #x509 and #SSH #CertificateAuthority with #StepCA. I imported a root #CA chain that I generated on my own separately.
From this, I learned that StepCA did not like the human-readable headings — above the “BEGIN CERTIFICATE” statements — in .crt/.pem files that #OpenSSL generated. I don’t know they are called or any CLI option that added them to the #PEM files. However, when I removed the headers, the StepCA server started without error.
-
I've seen some pretty nifty #homelab network maps on here, I need to get around to making something like that.
I'm kind of addicted to spinning up and hosting cool and useful services in #Docker at home (and/or on a #VPS).
Here are a few of them I use on a regular basis:
- #AudioBookshelf (audiobook server)
- #BoringProxy (reverse proxy and tunnel manager)
- #CalibreWeb (ebook server)
- #croc relay (file transfer utility)
- #EternalJukebox (your favorite song ∞)
- #glauth (LDAP server with 2FA)
- #MIMIC3 (TTS engine)
- #mirotalk (WebRTC video conferencing)
- #nitter (Twitter frontend/proxy)
- #Photoprism (photo gallery)
- #pihole with #dnscrypt (DNS-based adblocker)
- #Plex (media server)
- #PodGrab (podcast server)
- #PretendYoureXyzzy (Cards Against Humanity clone)
- #StepCA (certificate authority)
- #TransmissionOpenVPN (Transmission torrent client and OpenVPN in Docker)
- #UptimeKuma (service monitoring tool)
- #VaultWarden (BitWarden-compatible server)
- #WireGuard (VPN)
Anything super nifty y'all think I'm missing?
-
Is it possible to install a client TLS client certificate on an iPhone running iOS 16?
I'm trying to do it but can't get it to show the certificate as verified (even though the Root and Intermediate CAs are both installed, verified and fully trusted).
Really want to leverage mTLS. I've had it working on an iPhone before (a couple of years ago, I think), but not sure if it's possible any longer.
#tls #https #smallstep #stepca #mtls #https #iphone #ios #apple #infosec
-
My homelab is now using NRPE with TLS thanks to the private PKI I deployed this week-end.