early_riser

Maybe this is more of a home lab question, but I'm utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I've tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.

Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let's Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don't have to fiddle with every machine that uses every service I'm hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.

UPDATE:

Here's what I ended up doing:

1. set up cloudflare as the DNS provider for my domain
2. use certbot plus the cloudflare DNS plugin to create a wildcard cert. Because I want to use wildcard certs and because the web servers are on a NATed private LAN, HTTP-01 challenge cannot be used. Wildcard certs use a DNS challenge. From what I understand of the certbot docs, the HTTP challenge makes a certain HTTP resource available on the web server, then requests that resource, presumably via an external client, to verify that you own the domain. the DNS challenge works by temporarily placing a TXT record in your DNS server. This method requires your DNS provider to have an accessible API that allows the modification of resource records.
3. Once the cert and key are generated, I place them on the servers I want to to make use of them and set up the web server accordingly.
4. Visit the websites and confirm that HTTPS works.

There are some other hiccups that I'm guessing aren't related to HTTPS. Per My earlier question about self hosting, I'm experimenting with NodeBB. I cannot get the two test instances to federate, which I initially assumed was an issue with HTTPS. That's a question best asked elsewhere, though I thought it relevant to note because it was my initial purpose for setting up HTTPS.

I've wanted to do this for a long time. My current ADHD hyperfixation is NodeBB, but I think my questions fit most anything that you want to be available to the general public and not just yourself and your friends.

Basically, I want to host a NodeBB instance intended for the general public out of my house. What are the risks of doing this? In particular, what are the risks of doling out a web address that points to my personal IP address? Is this even a good idea? Or should I just rent a VPS? This is 80% me wanting to improve my sysadmin skills, and 20% me wanting to create a community.

I have a DMZ in place. Hosts in the DMZ cannot reach the LAN, but LAN hosts can reach the DMZ. If necessary, I can make sure DMZ hosts can't communicate with each other.

I have synchronous 1 Gb fiber internet. Based on the user traffic of similar forums, I don't anticipate a crush of people.

I know the basics of how to set up a NodeBB instance, and I've successfully backed up and restored an instance on another machine.

I'm not 100% on things like HTTPS certs. I can paste a certbot command from a tutorial, that's it.

Anything else I should know? Thanks!

EDIT:

I also have a domain, a couple of them, actually. They're like potato chips; you can't stop at just one.

I don't plan on self-hosting email used for forum registration and announcements. I'm not a masochist.

EDIT for future readers:

I think for now I'm not going to self host anything I intend to be accessed by the public. While I pay the internet bill, my name is on the account, and I own all the equipment, I'm not the only member of this household, so it would be somewhat inconsiderate of me to share our bandwidth with public traffic. In general I think those warning against self-hosting resources one intends to be accessed by the general public are pretty sound.

I tried the Cloudflare tunnel suggestion, but it doesn't seem to play nice with NodeBB. I can access the forum, even over HTTPS, but I can't log in. Some quick googling leads me to believe it has something to do with web sockets. The first fix I found involves exposing my IP, which defeats the purpose of using a cloudflare tunnel. There may be a way around it, but I frankly can't be bothered.