πŸͺ„ Get a Real Certificate Without Buying a Domain

:locked_with_key: Free Trusted Certs for EVERYTHING You Own

Public sites, private 192.168 boxes, wildcards, routers, no-domain machines. All free, all auto-renewing.

verified Β· linux Β· homelab



Why care: browsers and apps now break on plain HTTP. The green :locked: stops the β€œNot Secure” nag on your NAS/Proxmox/cameras β€” free, forever. The trick nobody spells out: prove ownership with a DNS record, not an open port, and you can cert boxes the internet can’t even reach.


πŸ•³οΈ The one switch that certs unreachable boxes

Port-80 validation (HTTP-01) dies behind NAT. DNS-01 = drop a _acme-challenge TXT record instead β†’ box never exposed, and it’s the only way to get a wildcard (*.example.com = one cert, every subdomain).

certbot certonly --dns-cloudflare \
  --dns-cloudflare-credentials ~/.secrets/cf.ini \
  -d "*.home.example.com" -d home.example.com

:light_bulb: Scope the DNS token to edit-only. Leak = attacker edits records, can’t steal the box.

🧨 Lighter than Certbot β€” one client per job
Tool For Link
acme.sh Shell, no Python, wildcards git
Caddy Web server that certs itself site
uacme Routers / OpenWRT / embedded git
win-acme Windows / IIS .exe git
lego One Go binary, 100+ DNS APIs git
acme.sh --issue --dns dns_cf -d example.com -d '*.example.com'
acme.sh --install-cert -d example.com \
  --fullchain-file /etc/nginx/ssl/full.pem --key-file /etc/nginx/ssl/key.pem \
  --reloadcmd "systemctl reload nginx"

:light_bulb: Full client list: acmeclients.com.

πŸͺ„ Real cert, no domain bought

Tailscale β†’ real LE cert on *.ts.net: sudo tailscale cert nas.tailnet.ts.net (docs).
DuckDNS β†’ free subdomain that does DNS-01, so you get a public wildcard:

acme.sh --issue --dns dns_duckdns -d you.duckdns.org -d '*.you.duckdns.org'
🏠 Your own Let's Encrypt for the LAN

step-ca runs a private ACME server β†’ internal boxes auto-renew from your CA, offline, any hostname. Trust once: step certificate install root_ca.crt.
Instant lab certs, zero config β†’ mkcert:

mkcert -install
mkcert nas.home "*.home" localhost 127.0.0.1

:light_bulb: Guard rootCA-key.pem β€” it can sign anything.

πŸŽ›οΈ 5-line HTTPS that renews itself

Caddy, whole public site:

example.com { reverse_proxy localhost:3000 }

Internal box, real HTTPS, no warning: add tls internal. sudo caddy trust installs its root. Staples OCSP by default.

πŸ•΅οΈ DNS-01 without keys living on the box

acme-dns = tiny DNS server that only answers _acme-challenge. Box holds creds for one TXT record, nothing else (EFF-endorsed). Set once:

_acme-challenge.example.com  CNAME  <id>.auth.example.org

:light_bulb: Trust nobody? Self-host via RFC2136/nsupdate to your own BIND β€” acme.sh dns_nsupdate.

πŸšͺ Port 80 blocked + old-device fixes
acme.sh --issue --alpn -d example.com                       # 443-only (TLS-ALPN-01)
certbot certonly --preferred-chain "ISRG Root X1" -d ex.com  # works on old Android
certbot certonly --must-staple -d example.com                # revoked = fails closed
πŸ”“ Free-CA menu + lock the door

ZeroSSL Β· BuyPass Go (longer validity) Β· Google TS Β· Cloudflare Origin CA (15-year). Lock who can issue:

example.com.  CAA  0 issue "letsencrypt.org"

:light_bulb: A wildcard logs as *.example.com β€” internal names never leak into public logs.

πŸ‘οΈ Watch every cert on earth (recon + defense)

Point lookup: https://crt.sh/?q=example.com. Live firehose: CertStream + phishing_catcher pings you the second someone certs a lookalike of your domain. Audit your own TLS: testssl.sh.

🩹 Classic nginx path + the stuff that bites
certbot --nginx --test-cert -d bchicbcow.com -d www.bchicbcow.com \
  --agree-tos --email [email protected] --redirect   # practice, no limit
certbot --nginx -d bchicbcow.com -d www.bchicbcow.com \
  --agree-tos --email [email protected] --redirect   # real (drop --test-cert)
certbot renew --dry-run    # catch renewal breakage today, not on day 89

:light_bulb: LE limits: a few dozen certs/domain/week. That’s why staging + alt CAs exist.


πŸ’₯ Where this actually saves you
  • NAS / Proxmox / camera screaming β€œNot Secure” β†’ real padlock, box never exposed.
  • One *.home wildcard β†’ covers every service you’ll ever add. No re-issue.
  • A Pi or router with no domain β†’ tailscale cert / DuckDNS certs it in seconds.
  • Someone registers yourbank-login.com β†’ CertStream pings you before their scam goes live.
  • ISP blocks port 80 β†’ TLS-ALPN-01 gets it on 443 alone.

:high_voltage: Quick Hits

Job Grab
:globe_with_meridians: Public site, dead simple Caddy
:house: Internal box DNS-01 / step-ca
:key: Keys off the box acme-dns
:magic_wand: No domain tailscale cert / DuckDNS
:pager: Router / embedded uacme
:eye: Cert recon CertStream Β· crt.sh

A locked port is a wall; a DNS record is a key you already hold.

1 Like

:recycling_symbol: Fresh news: the Core-Community’s AI just upgraded the post above.