I’m just so annoyed of fighting this all the time.
If I can’t figure this out I’m going to disable all https redirecting and all certificate errors off so I can have some peace
EDIT: I do not wish to manage certificates I do not want to setup private key infrastructure I don’t want to use real internet domain names I don’t want to manually install certificates into browsers after fishing them out of my ephemeral virtual machines
I just want to, add exception for *.lan for https auto redirect and auto-accept self-signed certificates as valid. This is not much to ask.
IMO it’s easiest to just use a real domain for your local network. For example, I use subdomains of
int.example.com
, whereexample.com
is my blog.Then, you can get Let’s Encrypt or ZeroSSL certificates for all the hosts. Systems do not need to be accessible over the internet - you can use an ACME DNS challenge instead of a HTTP one. Use something like certbot or acme.sh and renewals will be automated.
Only cost is for the domain, and some TLDs are less than $5/year. Check tld-list.com and sort by renewal price, not registration price (as some are only cheap for the first year).
This is the way to do it - actual valid certs, with actual working TLS.
OP’s issue is they don’t understand how SSL works and fighting Firefox, which is actually trying to protect them and steer they e in the right direction.
So you get a wildcard cert for the public domain, and only go one level deep on your LAN, reusing the wildcard cert? That’s a pretty cool trick.
I use a wildcard cert in some places, but most of them are individual certs. You can have multiple ACME DNS challenges on a single domain, for example
_acme-challenge.first.int.example.com
and_acme-challenge.second.int.example.com
forfirst.int.example.com
andsecond.int.example.com
respectively.The DNS challenge just makes you create a TXT record at that
_acme-challenge
subdomain. Let’s Encrypt follows CNAMES and supports IPv6-only DNS servers, so I’m using some software called “acme-dns” to run a DNS server specifically for ACME DNS challenges. It’s just listening on a IPv6 in one of my VPS /64 IPv6 range.