Internal SSL/TLS

HTTP connections to the outside are encrypted be default in caddy. For maximum security, we should also encrypt connections internally. To do so, self-signed certificates are used. The certificates are signed by the root CA certififcate of the host server (located here: /etc/pve/priv/pve-root-ca.key). The CA is trusted in the reverse proxy.

Create new certificates

New certificates are created using openssl. To do so, first create a config file e.g. san.conf (that is needed to use IPs as alternative names):

[ req ]
req_extensions     = req_ext
distinguished_name = req_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_req
[ req_distinguished_name ]
commonName = <ENTER GUEST HOSTNAME>
[v3_req]
subjectAltName = @alt_names
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
IP.1 = <ENTER GUEST INTERNAL IP>
DNS.1 = <ENTER GUEST HOSTNAME>
DNS.2 =  <ENTER GUEST HOSTNAME>.fritz.box
DNS.3 =  <ENTER GUEST HOSTNAME>.falken-niedersachsen.local

Then, create a private key and certificate (this needs to be done on the host):

# Generate a private key (make sure that there is enough entropy to do this properly)
[root@pve: /tmp] $ openssl ecparam -out example_server.key -name prime256v1 -genkey
# Create a CSR with the config file. When promted, enter the guest hostname
[root@pve: /tmp] $ openssl req -new -key example_server.key -config san.cnf -out example_server.csr
# Create and sign a TLS certificate with 10 years lifetime
[root@pve: /tmp] $ openssl x509 -req -in example_server.csr -CA /etc/pve/pve-root-ca.pem -CAkey /etc/pve/priv/pve-root-ca.key -CAcreateserial -out example_server.pem -days 3650 -sha256 -extfile san.cnf -extensions v3_req

Now you can copy the generated file to the webserver of the guest and it will be trusted by the reverse proxy.

Warning

Never copy the root CA private key from the server (or even anywhere else). Only perfom the signing in the trusted environment!

Trust the host CA

TODO