Today, I attempted to add a certificate to my router in order to eliminate the annoying warning indicating that the site is unsafe due to a missing certificate. Although it didn't bother me much, I decided to enhance the security since I have exposed ports externally.
Firstly, I consulted this resource as a starting point. Unfortunately, it didn't provide much information. Then, I experimented with the acme script, but I didn't achieve any results. Next, I explored uHTTPd, but it didn't seem to meet my requirements.
What turned out to be helpful for me is the ability to add certificates for running Docker containers using Nginx Proxy Manager. Here are some examples:
In essence, the idea is simple: install Nginx Proxy Manager, add a certificate with Let's Encrypt, add the running Docker container as a host, connect it to the same Docker network, and you're done. It should only take around 5 minutes to set up. However, in my case, it didn't work as expected. The container always lacks the correct certificate authority (CA). While my DDNS points to my public IP, accessing the correct service requires adding a specific port. Nevertheless, it functions flawlessly within my local network and even outside the internet.
I'm wondering if anyone has experience with this approach and can offer any insights or solutions.
While I did dabble into acme a few years ago, I ended up stopping chasing after that quite quickly - just accept the self-signed cert once and forget about it (at least in firefox). At least for routers, acme is imho not the brightest idea:
you need access most, when internet connectivity is not given
few plastic routers have a battery backed RTC, so no real idea of time in the absence of internet connectivity
acme depends (HTTP-01 challenge) on opening the webserver running on the router to the open internet (albeit ideally only shortly), which is... not a soothing thought
it does magic stuff at elevated access rights (input sanitation!)
it totally fails in the typical NAT situation and multiple systems needing a certificate (don't tell me to scp/ rsync it back and forth…)
in my testing a few years ago, it was fragile in practice
the DNS-01 challenge claims to improve some of these concerns, but its practical implementation is totally bollocks (giving an embedded infrastructure device the access credentials (most don't have API keys restricted to 'just' changing zone info, but are the same to register/ delete domains or at least add/modifiy/remove DNS records nilly-willy) to your DNS registrar..!?)
and at least a few years back, the actual implementation for OpenWrt was rather fragile
insert ranting about common browsers making it needlessly hard/ scary here
tl;dr: my advice would be, don't - stick to self-signed certificates and tell your browser to stick it.