this post was submitted on 27 Aug 2025
29 points (100.0% liked)

Selfhosted

51445 readers
368 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
29
Second set of eyes - DNS Nameservers (sh.itjust.works)
submitted 2 weeks ago by BingBong@sh.itjust.works to c/selfhosted@lemmy.world
24 comments fedilink hide all child comments
 

Hello all, I'm looking for a second set of eyes before I potentially screw up all my self hosted services. I'll be the first to admit I'm not an IT expert and am getting a wee bit lost in all of the reading I've been doing so please go easy on me.

I'm currently working to get my domain (already registered) to be used for internal addresses as well as get a working SSL certificate. I am following wolfgangs instructions with the exception that I already have my domain registered with BlueHost. BlueHost does not appear to be directly supported by nginx and wants to charge me $90/year for an SSL certificate which is far more than I'm willing to pay for my little self-hosting hobby.

Fundamentally I believe I need to point my domain to new nameservers which provide support for 'Let's Encrypt'. If there were a vendor that offered that as a service I think I could leave the domain with bluehost and simply point the nameservers elsewhere. I "think" cloudflare offers this but its the only one and I've heard mixed things about using it from the standpoint of privacy. Does anyone have suggestions?

The other option I see, which seems more broadly supported, is to transfer my domain from bluehost to another vendor. Does anyone have suggestions? I've struggled to see the renewal costs when looking at these transfers.

Before fully borking my setup, would appreciate some input on if I'm on the right track or not. Thank you!

you are viewing a single comment's thread
view the rest of the comments
[–] cecilkorik@lemmy.ca 8 points 2 weeks ago (1 children)

Ugh, I hate it when tools to "simplify" an already relatively simple process actually oversimplify it to the point of making it horribly complex to work around their "simplification". A few points I'd like to answer from your post:

  • Nginx-Proxy-Manager is dumb for, as far as I can see, not allowing you to follow the standardized method of answering challenges that supports any DNS provider and instead only seems to allow its "magic simplified process" that only works with select DNS providers
  • https://dns.he.net/ is a nice free DNS service that you could use for your "keep domain at bluehost but use DNS servers elsewhere" strategy, and this is a totally valid and reasonable configuration -- however, it apparently won't help with Nginx-Proxy-Manager due to above stupidity
  • This leaves your only DNS hosting service option as Cloudflare, as you correctly identified. This is a fine option but you know what they say about free services especially when they've got big for-profit companies behind them, if you're not paying for the product, then you ARE the product, so beware of becoming vendor-locked and enshittified when they inevitably decide to try to monetize you somehow (if they're not already doing so behind the scenes).
  • Yes you can transfer your domain to a supported provider. This is kind of a "nuclear option" to get it to work with some shitty web-UI like Nginx-Proxy-Manager just because they're too lazy to support actual standards or play nice with manual configurations, but it's straightforward, albeit a little bit slow process (can take several days for things to switch over)
  • There is no "renewal cost" for transferring a domain other than having to pay for 1 year minimum of the new provider's normal annual registration costs. This gets added to your existing expiry, generally speaking, or your old time gets refunded, so either way you're not losing anything, however things can get complex if you've only recently registered or renewed it, for example

If you're very happy with Bluehost and want to stay there (I have no idea if they're any good I'm not familiar with them but I will say charging $90 for an SSL certificate seems a bit absurd) then Cloudflare is probably the path of least resistance.

If you don't mind transferring your domain and waiting for that process, that's also a good approach.

But personally, I would drop Nginx-Proxy-Manager like a hot potato and work your way through setting up something like Caddy instead, doing mostly the same magic that NPM does (unfortunate acronym for anyone who's more familiar with Node Package Manager) but using a very open and flexible system, supporting plugins for different providers to support DNS challenges for example

One final option that I'm going to throw out there, is if you intend on connecting your web server to the public internet anyway, and you're able to live without a wildcard DNS (this just means it has to create a different certificate for each subdomain you add, not a big deal when a program is already managing them for you in my opinion) then you can just forget about the DNS challenge altogether and use a regular HTTP challenge. Again, fully standards compliant. Doesn't matter what DNS or web server you're using. As long as it has an internet connection so it can talk to the encryption certificate server and verify that it is who it says it is, you're good to go, no need for DNS keys and such. Frankly I find the HTTP method just as simple if not simpler in most cases. Again, they're oversimplifying to the point of making it more complex.

[–] Onomatopoeia@lemmy.cafe 3 points 2 weeks ago (1 children)

My problem with Cloudflare is as you intimated - they're tracking everything because they as a man-in-the-middle.

Eff cloudflare, I do everything I can to keep my traffic away from them.

[–] MangoPenguin@lemmy.blahaj.zone 1 points 2 weeks ago

Only if you enable their proxy on a DNS record, or use their tunnel feature. Otherwise it's just DNS with no access to your traffic.