Back to Blog

SSL Certificates for Homelab: Let's Encrypt Automation Guide

Secure your homelab services with free SSL certificates from Let's Encrypt. Complete guide to automatic certificate generation and renewal.

Posted by

SSL certificate padlock security

Why SSL Matters for Homelab

Modern browsers treat HTTP as insecure, and for good reason. Without SSL, data travels in plain text - passwords, personal information, everything can be intercepted.

Let's Encrypt provides free SSL certificates with automatic renewal. Here's how to implement it properly in your homelab.

Understanding the Challenge Types

Let's Encrypt needs to verify you control your domain. There are two common methods:

HTTP-01 Challenge

  • Requires port 80 open to the internet
  • Let's Encrypt requests a file from your server
  • Simpler setup, works for most cases

DNS-01 Challenge

  • No open ports required
  • Creates a DNS TXT record to prove ownership
  • Works for wildcard certificates
  • Perfect for internal-only services

Method 1: Traefik (Recommended)

Traefik handles SSL automatically with minimal configuration:

# docker-compose.yml
services:
  traefik:
    image: traefik:v3.0
    container_name: traefik
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "[email protected]"
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt
    restart: unless-stopped

  whoami:
    image: traefik/whoami
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`test.yourdomain.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=letsencrypt"

Method 2: Nginx Proxy Manager

For a GUI-based approach, Nginx Proxy Manager makes SSL simple:

services:
  npm:
    image: jc21/nginx-proxy-manager:latest
    container_name: nginx-proxy-manager
    ports:
      - "80:80"
      - "443:443"
      - "81:81"
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
    restart: unless-stopped

Access the admin panel on port 81, add your proxy hosts, and check the "Request a new SSL Certificate" box. It handles everything automatically.

Method 3: DNS Challenge with Cloudflare

For internal services or when you can't open ports, use DNS challenge:

services:
  traefik:
    image: traefik:v3.0
    environment:
      - [email protected]
      - CF_API_KEY=your_cloudflare_api_key
    command:
      - "--certificatesresolvers.cloudflare.acme.dnschallenge=true"
      - "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare"
      - "[email protected]"
      - "--certificatesresolvers.cloudflare.acme.storage=/letsencrypt/acme.json"

Wildcard Certificates

Wildcard certificates (*.yourdomain.com) cover all subdomains with a single certificate:

  • Requires DNS-01 challenge (HTTP-01 doesn't support wildcards)
  • One certificate for nextcloud.domain.com, plex.domain.com, etc.
  • Simpler management, fewer renewal operations

Certificate Renewal

Let's Encrypt certificates expire after 90 days. All the tools mentioned handle automatic renewal:

  • Traefik checks daily and renews when needed
  • Nginx Proxy Manager has built-in renewal
  • Certbot (standalone) can be scheduled with cron

Monitor your certificates to catch any renewal failures early!

Secure by Default

With Let's Encrypt automation, there's no excuse for unencrypted services. Every homelab service should have SSL - it's free, automatic, and essential for security.

Continue Reading