SSL was a good idea terribly implemented. Relying only on big tech for valid certificates was the single most idiotic thing the web baboons could come up with.

Sure, you could always hack comodo (again) to issue yourself some LAN certs but come on. You either expose your server or pay half a kidney for a somewhat secure thing! Give me a break....

Have you heard about letsencrypt? From the EFF.org .

Also consider using your own CA. EasyRSA should do it.

How else can you guarantee authenticity? Your root of trust has to be somewhere and, like it or not, huge companies are just the most trustworthy place for that. At least they have a lot of incentives (investors and money) to *not* fuck over users and issue unauthorized certs

@12bitfloat well, there was once a company called DigiNotar....

@NeatNerdPrime I know about Let's encrypt. However I'm not really willing to expose a homelab using things like DuckDNS/NoIP just to get a simple SSL cert.

Will check EasyRSA. Thanks for your recommendation!

@12bitfloat They do though. Every few years a root CA is removed from Firefox because it's found to have issued fake certs to governments. The great thing about PKI is that the root CA lists are compiled by everyone separately, so Mozilla can remove the ones that abuse their position, Chrome can remove the ones that abuse their power to help unfriendly states, the PRC can add their own CAs to devices distributed in China, and you can make a list with your 3 closest friends if you like.

This is the best way for a users to be able to delegate the job of keeping track of identities without giving up control over the process. Any consensus algorithm can be gamed by the rich and the beautiful. The lack of consensus is what makes PKI safe.

EJBCA is also a free Certificate Authority (PKI). If you are just wanting things trusted locally, that would be an option.

https://www.ejbca.org/

@lorentz Well sure, but at least that's just every few years. Imagine how often such a thing would happen if it was in grasp of the average user (hacker)

Re china: It's called "root of *trust*" for a reason. At the end of the day it's all a made up fantasy anyway so if you can't trust your government to follow the (imaginary) rules... I mean then you're just fucked in general

@ventgrey i dont think exposing the homelab is strictly necessary.
My homelab k8s cluster uses subdomains for a public domain, but the urls are only resolved by local dns.
I still use cloudflare to get letsencrypt certs, but the services are not exposed to the internet.

This is something i set up recently tho, so im not 100% clear on the detail.