Many servers, many Raspberry Pis, many ports

My domain is: lubel.me

My web server is (include version):

Name           : nginx
Version        : 1.29.1-1.1
Arch           : x86_64
Vendor         : openSUSE
Installed Size : 2.5 MiB
Installed      : Yes
Status         : up-to-date
Source package : nginx-1.29.1-1.1.src

The operating system my web server runs on is (include version):
Linux tranquility 6.17.0-2-default #1 SMP PREEMPT_DYNAMIC Thu Oct 2 08:12:40 UTC 2025 (190326b) x86_64 x86_64 x86_64 GNU/Linux

My dns provider is: 123reg.co.uk

I'm self-hosting.

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes

The version of my client is (e.g. output of certbot --version): certbot 5.0.0

I have used port-forwarding rules, so that URLS with ports 80 or 443 get forwarded to the PC running an NGINX web browser. All good (with great help from @MikeMcQ & @griffin in Setup server for ACME certificate request).

On my home network, I have the following servers (on two Raspberry Pis)

1. Lyrion music server (ex Logitech Media Server)
2. OwnCloud
3. NodeRed
4. Mosquitto
5. Home Assistant

What are the principles for securing distributed servers, so I can access/control them from outside my network while keeping them secure? Can I exploit the Letsencrypt certificate that I got for my webserver or does each require a new, different cert?

Is this question really that specific that you can't continue in Setup server for ACME certificate request?

and if Letsencrypt is all about https, how can it handle other ports (for port forwarding or different protocols)?

past experience on forums led me to think I'd be told off for stretching the original question tooooo far, so I plumped for a new topic. I figured this was more about exploiting the certificate, rather than getting the certificate

Well, then I find your certbot run with error messages and such a little bit confusing (And yes, I realise that's the generic questionnaire, but with good arguments, one can always deviate from the regular path.)

A certificate conventionally covers domain names (and/or ip addresses), not services, so unless each service has its own domain/ip, they can all use the same cert. I would think your nginx would handle the certificate termination via the reverse proxy it is serving as.

Ah. my bad. I lazily copied the data from my other enquiry. Well spotted. Not sure I can edit the original post but I'll try to fix that

Aha! The reverse proxy facility. I'd read about it, but know nothing about that. Seems more reading is called for. Any good links you know of, to get me started?

Maybe start with the official nginx docs and tutorials?

Sorry @Osiris, I can't see a way to edit the post. Perhaps as a Community leader you have the ability to right my wrong. Very sorry.

I'm on it.

As a thought, you could use your Linux PC as your reverse-proxy server, which could serve as your public access point that acquires, maintains, and serves your public cert(s) then forwards traffic from that PC to your private servers, which would not even require HTTPS since they're inside your LAN. This would have your firewall forwarding public traffic for your servers to your PC.

With regards to security and accessing things remotely:

• https (http over TLS) secures your conversation, but your services are still public if everyone can access them so they're not really "secure" in that sense.

• consider things like tailscale or alternatives for actually secure remote access. These run a private vpn you can enable on your phone etc so you can access the servers but nobody else can. I use this for home assistant, otherwise someone could open my garage door, empty my house and drive my car away "lol". [edit: also these services often implement tls termination for you, so they handle the certs]