Server running on my lan insists on https--is let's encrypt a solution for that?

rpardee · May 22, 2026, 8:59pm

Frightfully sorry for the super basic Q--I'm just trying to figure out if it makes sense for me to start up the (steep for me) learning curve here.

My goal is to run a vaultwarden instance on my local network. I've installed that as an 'app' on a truenas server & it refuses to work over plain http. I (today anyway) have NO ambition to expose this thing to the larger internet. Is LE useful for getting a cert my app can use for that, just inside my home network? Are there easier ways?

MaxHearnden · May 22, 2026, 9:06pm

You have at least three options:

Use the dns-01 challenge which requires changing publicly resolvable (accessible) TXT records for your domain. This is the preferred method for generating trusted certificates for private servers.
Use a private certificate authority, this is best for a server which must be isolated from the internet however this has additional risks and requires setting up all clients.
Have http://<domain>/.well-known/acme-challenge be publicly accessible (possibly with a different IP address). This either requires additional routing/access control or a split horizon DNS setup and isn't typically used.

danb35 · May 22, 2026, 9:33pm

Probably not, primarily for the reason that Let's Encrypt only issues certs for public domain names or public IP addresses. A secondary issue is that Let's Encrypt certs are valid for a relatively short period of time and thus need to be renewed several times per year.

If you have or are willing to get a public domain, you could then easily put your Vaultwarden instance behind a reverse proxy like Nginx Proxy Manager. That can then handle obtaining and renewing the cert for you. I have a guide for that here:

sebastiannielsen · May 22, 2026, 10:13pm

On a public facing webserver which you own, you could add the following:

Apache2:
<Location "/.well-known/acme-challenge/">
    RewriteEngine On
    RewriteRule "\/([-_a-zA-Z0-9]+)$" "\/$1" [E=challenge:$1]
    ErrorDocument 200 "%{ENV:challenge}.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
    RewriteRule ^ - [L,R=200]
</Location>

or for NGINIX:
location ~ ^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$ {
    default_type text/plain;
    return 200 "$1.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
}

where XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX is your JWK thumbprint of your public key for the account.

Then your internal vaultwarden server and ACME client does not need to be reachable from the outside, and the ACME cleint does not need to write the challenge anywhere (so you can put webroot = /dev/null).

To make sure the certificate is valid despite the wrong domain name, add in your local DNS resolver or /etc/hosts, so the domain name to the public webserver, resolves to the internal 192.168.x.x adress but only for clients on the "inside" of the LAN.

Topic		Replies	Views
HTTPS for local network only Help	4	31914	November 3, 2020
Thinking about replacing my selfsigned certificates Help	19	4040	December 13, 2016
Setting up and using LE on a personal web server? Client dev	7	2008	January 14, 2017
Let's encrypt on a private apache webserver Server	14	10075	February 24, 2017
How is an internet accessible LAN server encrypted? Help	20	5911	February 3, 2017

Server running on my lan insists on https--is let's encrypt a solution for that?

Related topics