Hello all, I’m looking for a second set of eyes before I potentially screw up all my self hosted services. I’ll be the first to admit I’m not an IT expert and am getting a wee bit lost in all of the reading I’ve been doing so please go easy on me.
I’m currently working to get my domain (already registered) to be used for internal addresses as well as get a working SSL certificate. I am following wolfgangs instructions with the exception that I already have my domain registered with BlueHost. BlueHost does not appear to be directly supported by nginx and wants to charge me $90/year for an SSL certificate which is far more than I’m willing to pay for my little self-hosting hobby.
Fundamentally I believe I need to point my domain to new nameservers which provide support for ‘Let’s Encrypt’. If there were a vendor that offered that as a service I think I could leave the domain with bluehost and simply point the nameservers elsewhere. I “think” cloudflare offers this but its the only one and I’ve heard mixed things about using it from the standpoint of privacy. Does anyone have suggestions?
The other option I see, which seems more broadly supported, is to transfer my domain from bluehost to another vendor. Does anyone have suggestions? I’ve struggled to see the renewal costs when looking at these transfers.
Before fully borking my setup, would appreciate some input on if I’m on the right track or not. Thank you!
- Ugh, I hate it when tools to “simplify” an already relatively simple process actually oversimplify it to the point of making it horribly complex to work around their “simplification”. A few points I’d like to answer from your post: - Nginx-Proxy-Manager is dumb for, as far as I can see, not allowing you to follow the standardized method of answering challenges that supports any DNS provider and instead only seems to allow its “magic simplified process” that only works with select DNS providers
- https://dns.he.net/ is a nice free DNS service that you could use for your “keep domain at bluehost but use DNS servers elsewhere” strategy, and this is a totally valid and reasonable configuration – however, it apparently won’t help with Nginx-Proxy-Manager due to above stupidity
- This leaves your only DNS hosting service option as Cloudflare, as you correctly identified. This is a fine option but you know what they say about free services especially when they’ve got big for-profit companies behind them, if you’re not paying for the product, then you ARE the product, so beware of becoming vendor-locked and enshittified when they inevitably decide to try to monetize you somehow (if they’re not already doing so behind the scenes).
- Yes you can transfer your domain to a supported provider. This is kind of a “nuclear option” to get it to work with some shitty web-UI like Nginx-Proxy-Manager just because they’re too lazy to support actual standards or play nice with manual configurations, but it’s straightforward, albeit a little bit slow process (can take several days for things to switch over)
- There is no “renewal cost” for transferring a domain other than having to pay for 1 year minimum of the new provider’s normal annual registration costs. This gets added to your existing expiry, generally speaking, or your old time gets refunded, so either way you’re not losing anything, however things can get complex if you’ve only recently registered or renewed it, for example
 - If you’re very happy with Bluehost and want to stay there (I have no idea if they’re any good I’m not familiar with them but I will say charging $90 for an SSL certificate seems a bit absurd) then Cloudflare is probably the path of least resistance. - If you don’t mind transferring your domain and waiting for that process, that’s also a good approach. - But personally, I would drop Nginx-Proxy-Manager like a hot potato and work your way through setting up something like Caddy instead, doing mostly the same magic that NPM does (unfortunate acronym for anyone who’s more familiar with Node Package Manager) but using a very open and flexible system, supporting plugins for different providers to support DNS challenges for example - One final option that I’m going to throw out there, is if you intend on connecting your web server to the public internet anyway, and you’re able to live without a wildcard DNS (this just means it has to create a different certificate for each subdomain you add, not a big deal when a program is already managing them for you in my opinion) then you can just forget about the DNS challenge altogether and use a regular HTTP challenge. Again, fully standards compliant. Doesn’t matter what DNS or web server you’re using. As long as it has an internet connection so it can talk to the encryption certificate server and verify that it is who it says it is, you’re good to go, no need for DNS keys and such. Frankly I find the HTTP method just as simple if not simpler in most cases. Again, they’re oversimplifying to the point of making it more complex. - My problem with Cloudflare is as you intimated - they’re tracking everything because they as a man-in-the-middle. - Eff cloudflare, I do everything I can to keep my traffic away from them. - Only if you enable their proxy on a DNS record, or use their tunnel feature. Otherwise it’s just DNS with no access to your traffic. 
 
 
- AFAIU bluehost does not support the acme protocol, so you’ll either have to manage your certificate manually or (recommended!) move to a different dns registrar. - If you are wondering which provider you should switch to, basically all the serious ones will work… IDK if this is relevant for nginx, but here’s a list of the supported ones for the client I use https://go-acme.github.io/lego/dns/ - If you are unsure and want to experiment before touching your current setup, you could register a new cheap domain (less than 1$, see https://tld-list.com/), use it for your tests, and then not renew it. 
- This is 100% not the advice you are looking for, but if you don’t need the service to have a domain I would consider just using Tailscale. It’s pretty damn good. - My internal network is blocked off from the internet and I’m not actually planning to enable tailscale for VPN in (my understanding of its purpose). This is really just so I can use sub domains like ‘homebox.mydomain.space’ to access and get a registered SSL certificate to switch all internal over. I’m not using the duckdns that Wolfgang did because I already registered a good custom domain that I use for my e-mail. - What do you mean by blocked off? - If you are using it purely for internal use I would look into setting up a private CA with ACME. 
 
 
- A few things - 
move your name server to a public DNS service that has an API like Linode Domains or Route53 
- 
set your public A/AAAA to parked 
- 
setup an internal DNS server and configure devices to use it via DHCP 
- 
Setup Caddy with the DNS plugin for ACME. This will allow you to get certs locally without exposing anything. 
 - There is little reason for companies to pay for certs let alone individuals. Use Let’s encrypt as it is easy and free. 
- 
- Cloudflare is fine for DNS hosting and the control panel is well made and easy to use compared to a lot of other services, they have no access to your traffic or anything unless you specifically use their proxy features. - Add the domain to cloudflare, change the nameservers in Bluehost, and you should be all set to use Letsencrypt via the API. - You could also transfer the domain to Cloudflare. 
- Doesn’t certbot with the nginx plugin on the host just work? - If you are talking about the steps where wolfgang adds a lets encrypt cert, bluehost is not a recognized DNS provider. If you are talking something else could you provide some additional detail please? - Edit: Just found this, will read more on it as I think it relates to your question. https://eamonnsullivan.co.uk/posts-output/ssl-setup/2024-04-01-setting-up-ssl-for-my-local-apps/ - I prefer the arch wiki as a source: https://wiki.archlinux.org/title/Certbot#Nginx 
 
- Not with Bluehost. 
 
- Of your after a wildcard certificate I can recommend OVH for both domain registrar and DNS hosting, they have an API to allow certbot to get both single domains and wildcard certs. - I use OVH for DNS, vps and dedicated server 
- I just self-host my own DNS server. Works like a charm. Setting up DNSSEC was a tad fiddly tho. - Long story short: - Set up Knot, teach it to serve your zone
- Test via resolving names in your server (digcan use a specific server)
- Disable DNSSEC
- Tell your registrar to “use my own DNS server”
- Generate the DNSSEC keys, upload only the pubkey to registrar, reenable
 - Doesn’t that break DNS64? - I’m fortunate to get native IPv6, so I’m not very familiar, tho I think I have basic understanding. - Did you mean you need to pick just one of {authoritative DNS server, DNS64} to listen on port 53? No, because the authoritative DNS only needs to be accessible from the outside. Run it on another machine or nonstandard port, then expose via port forwarding. Machines in LAN don’t need direct access to the authoritative DNS server, they can just as well resolve via the regular system. - DNS translates IPv4 addresses to IPv6 NAT64 addresses for networks that are IPv6 only - I believe that DNSSEC breaks it since the IP addresses will be different. - Oh, now I see. I guess then the DNS64 server needs to do the dnssec verification on behalf of the user, then drop the RRSIG records for the v4->v6 translated names. - Oh, and now I realize I confused the direction. DNS64 makes v4 into v6. - What is the security benefit of DNSSEC? - It made more sense when everything was http now https is the norm is is less useful as far as I can tell. - How could a hijacked DNS entry harm you? - redirect to ads/spam
- downgrade to HTTP (no HSTS), then steal creds
- MitM the TOFU of SSH
- probably something more…
 - You can leverage the trust in DNSSEC to distribute TLS and SSH fingerprints too, look up DANE. - You can’t easy man in the middle authenticated protocols like SSH or HTTPS. If that was easy to do it would defeat the entire purpose of the TLS layer. Don’t take this the wrong way but this feels like a dated way of thinking. I think in the future it will way less of a problem since http and other unencrypted/unauthenticated protocols are on their death bed. - I do appreciate the response but it is important to keep in mind tech changes rapidly. I personally don’t care for DNSSEC as it breaks the TCP/IP model. The layers should be independent to allow for maximum flexibility. 
 
 
 
 
 
 
 
- Appreciate everyone’s help. What I ended up doing was moving to porkbun as I (a) saved money with some of the whois privacy items, (b) got free SSL certificates, and © it worked with the automated certbot tie in with Nginx-Prox-Manager. I did confirm I could manually load certs into Nginx but have very limited time at the moment and this seemed like a straightforward path. - Certainly the proposals for self-hosted DNS servers are interesting and something I may experiment with in the future but times limited at the moment. Now I’m just working out why Jellyfin and Photoprism work perfectly but homebox doesn’t want to work with the domain name. Another round of learning begins! 







