On .LAN domains, how to stop firefox switching to https (when it's not available) and stop complaining about self-signed certificates when it is available ?

interdimensionalmeme@lemmy.ml · 2 months ago

On .LAN domains, how to stop firefox switching to https (when it's not available) and stop complaining about self-signed certificates when it is available ?

cmnybo@discuss.tchncs.de · 2 months ago

You can get rid of the certificate errors by adding your CA to Firefox. Just make sure you keep the private key secure.

Set browser.fixup.fallback-to-https to false to stop Firefox from trying https if http doesn’t work.

Pup Biru@aussie.zone · 2 months ago

worth repeating the KEEP YOUR PRIVATE KEY SECURE part if you’re trusting a root - if you trust a root, it may be able to issue a TRUSTED cert for other domains - mybank.com, etc and leave you open to attack

sugar_in_your_tea@sh.itjust.works · 2 months ago

But honestly, you shouldn’t need to do this, you can just use LetsEncrypt to get a real cert. Here’s what I do:

route external traffic to your devices - I use a VPS w/ a VPN because I’m behind CGNAT, but if you have a publicly routable address, you can probably just use your router
configure LetsEncrypt for your services
configure the DNS your router provides to swap the public IP (i.e. the one for your VPS if you have it) to your LAN address, and have all of your devices use that DNS name

Boom, you get all the benefits of a proper TLS setup, along with all of the benefits of local traffic. You can even turn off external access to the services between cert renewals.