This project is not about getting HTTPS for my website, but rather it is about getting a FQDN that lets me get HTTPS on my LAN!( for things like my router web interface.) I did this for a few reasons but I mainly did it to stop using self signed certs. Getting a valid domain was just a nice bonus!
Part 1: Whats a CA?
This project, like many, started with a goal in mind without any clue as to how I was going to accomplish it. But that never stopped me before, so I continued forward. I knew that in order to get a cert that was not self- signed, I needed a domain name. So I made several attempts to step up my own internal domain. I quickly found out that was not going work, much to my dismay, although I gained some extremely valuable insight as to how HTTPS works. While I was correct that HTTPS needs a SSL cert to function, I found that the cert needed to signed and verified by trusted Certificate Authority (CA) in order to be considered valid. At the time, I had no clue what a CA was, but I thought it would not be difficult to make my own using the CA creator in OPNsense. But as you can probably guess, that didn’t work out. While I could make CA and a signed certificate using my made-up domain name, the cert was rejected by every single browser for not being trusted. By this point I realized I was not going to get anywhere by messing around with non-trusted CA, so I looked to the knower of all things: Google. And the answer I got was exactly what I feared.
Part 2: The missing piece
I found out that in order to have a trusted HTTPS certificate I needed to get a trusted CA to sign it. ( Not just an made up CA ) With this revelation, I kept digging until I found Certbot. Certbot is a program that allows you to get a free SSL cert for your domain name. After attempting to use Certbot to get a signed HTTPS cert for my made up domain name, like an idiot, I started thinking of what I was missing that I needed to do get HTTPS on my network. Then, as I was sifting through webpages I found what I was missing: a FQDN. I had no clue what a FQDN was at the time so I decided to take a break and do some research before I continued.
Part 3: Self-Signed no longer!
All of my research led my to the one conclusion I hoped would not be true, I needed to own a domain name. I had a thing about spending money, I didn’t like doing that and I still don’t. So paying for a domain name was a terrifying prospect for me. But, it needed to be done. Once I settled on one from Google domains I got work figuring out how to get valid subdomains for use in my internal network. I soon discovered that by using a wild card certificate, I could easily get my servers secured. And they didn’t need to be public facing either! The only thing is, I need to generate them manually, so a reverse proxy may be in order so I don’t need to swap them out each time.