August 18, 2025Aug 18 Guide: Setting Up Local HTTPS Domains with a Wildcard CertificateSome applications (for example, Vaultwarden) require HTTPS to function properly — even when they are only accessed on your local network.Using Let’s Encrypt for this is often difficult because it requires opening ports to the outside world. A more practical alternative is to create your own Root Certificate Authority (CA) and issue a wildcard certificate.This guide will walk you through how to set it up step by step.1. RequirementsDocker is installed and running.A local DNS server (e.g. AdGuard Home) configured as the primary DNS in your router.Nginx Proxy Manager (NPM) acting as a reverse proxy.(Optional) A domain purchased from a provider like IONOS, which often includes a wildcard certificate. If you use that, you can skip creating your own Root CA.Example setup in my home network:AdGuard Home: 192.168.178.2Nginx Proxy Manager: 192.168.178.3Fritz!Box router: configured to use AdGuard Home as DNS server.2. Creating a Root CA and Wildcard CertificateNote: If you already purchased a wildcard certificate (e.g. from IONOS), you can skip this step.2.1 Create a Root CA (one-time setup)# Generate private key for the Root CA openssl genrsa -out myCA.key 4096 # Create a self-signed root certificate (valid for 30 years) openssl req -x509 -new -nodes -key myCA.key -sha256 -days 10950 -out myCA.pem -subj "/C=DE/ST=NRW/L=Home/O=PrivateCA/OU=IT/CN=Home Root CA" Result: myCA.pem → This Root Certificate will need to be imported on all client devices later.2.2 Create a Wildcard Certificate for *.home.lan# Private key openssl genrsa -out home.lan.key 2048 # Certificate signing request (CSR) openssl req -new -key home.lan.key -out home.lan.csr -subj "/C=DE/ST=NRW/L=Home/O=PrivateCA/OU=IT/CN=*.home.lan" SAN configuration (create file home.lan.ext)authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = *.home.lan DNS.2 = home.lan Sign the certificate (valid for 10 years)openssl x509 -req -in home.lan.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out home.lan.crt -days 3650 -sha256 -extfile home.lan.ext Resulting files:home.lan.crt → Wildcard certificatehome.lan.key → Private keymyCA.pem → Root CA3. Import into AdGuard Home and Nginx Proxy Manager3.1 Configure AdGuard Home (DNS rewrite)In the AdGuard Home dashboard, go to Filters → DNS Rewrites → Add DNS Rewrite.Domain name: e.g. vaultwarden.home.lan.IP address: the internal IP of Nginx Proxy Manager (e.g. 192.168.178.3).3.2 Configure Nginx Proxy Manager (certificate and proxy host)In the NPM dashboard, go to SSL Certificates → Add SSL Certificate → Custom:Name: *.home.lanCertificate Key: upload home.lan.keyCertificate: upload home.lan.crtIntermediate Certificate: upload myCA.pemThen go to Proxy Hosts → Add Proxy Host:Domain Names: vaultwarden.home.lanScheme: httpForward Hostname/IP: the Docker container IP (e.g. 192.168.178.60)Forward Port: the container’s port (e.g. 8080)Enable: Block Common Exploits and Websockets SupportUnder the SSL tab, select your custom certificate and tick all checkboxes (except HSTS Subdomains).Click Save → done.4. Import the Root CA on Client DevicesNote: If you already purchased a wildcard certificate (e.g. from IONOS), you can skip this step.For your browsers and devices to trust your certificates, you must import the Root CA (myCA.pem).WindowsCopy myCA.pem to the Windows machine.Double-click it → the Certificate Import Wizard will open.Choose Local Machine (requires Administrator privileges).Select Place all certificates in the following store → Trusted Root Certification Authorities.Finish the wizard. Windows will now trust all certificates signed by your Root CA.LinuxProcess depends on the distribution:Debian / Ubuntu:Copy myCA.pem into /usr/local/share/ca-certificates/ (rename it with a .crt extension, e.g. myCA.crt).Update the trust store:sudo update-ca-certificates Red Hat / Fedora / CentOS:Copy the file into /etc/pki/ca-trust/source/anchors/.Update the trust store:sudo update-ca-trust Chrome / Chromium-based browsersChrome and Edge use the system certificate store by default. After following the Windows/Linux steps above, they will trust the certificate automatically.If you prefer to import it only in Chrome:Open Chrome → Settings → Privacy and security → Security → Manage certificates.Go to the Trusted Root Certification Authorities tab.Click Import → select myCA.pem.Chrome now trusts your local wildcard certificate.5. Tips & NotesAvoid using .local domains! Some systems (e.g. Steam Deck) treat .local as reserved and won’t connect. Use .lan or .home instead.Certificates longer than 1 year can cause issues with some services — if so, generate shorter validity periods.Remote access: With a WireGuard VPN tunnel, you can also securely access your HTTPS services when away from home.Docker compatibility: Some containers require HTTPS to run — this setup solves that problem.ConclusionWith this method, you can run local HTTPS domains with your own wildcard certificate — without exposing any ports to the internet.It’s a safe and flexible solution, especially for self-hosted services like Vaultwarden, Nextcloud, or other Docker containers that require HTTPS. Edited December 23, 2025Dec 23 by Pixelz_Namikaze Fix: Remove the backslash and run everything in one line
September 17, 2025Sep 17 I have been working on setting this up but I have run into a problem. NGINX is on my custom docker network and adguard will not allow me to forward to an IP and Port #. So when I forward the request to my server IP I get the unraid home not forwarded onto the needed application. I could put NGINX on by br0 network but that would require a reconfiguration of all my IP's on my docker network since I am currently using host names. Do you have any suggestion for keeping NIGINX on my docker network while still being able to forward the adguard dns request for the container I am trying to hit?
December 16, 2025Dec 16 THIS is exactly what I have been looking for going on weeks. Before I get too excited, will Pi-hole which I already have installed work instead of using AdGuard home?Also, when you state Docker is installed and running, do you mean the Docker container from the Unraid Community apps? Not sure how Docker comes into play.When I run the syntax openssl req -x509 -new -nodes -key myCA.key -sha256 -days 10950 -out myCA.pem \ -subj "/C=DE/ST=NRW/L=Home/O=PrivateCA/OU=IT/CN=Home Root CA" I keep getting req:Extra option "/". I get the same error running openssl req -new -key home.lan.key -out home.lan.csr \ -subj "/C=DE/ST=NRW/L=Home/O=PrivateCA/OU=IT/CN=*.home.lan"I googled for an answer, but nothing specific has come up Edited December 16, 2025Dec 16 by RaidPC add error message
December 23, 2025Dec 23 Author On 12/16/2025 at 1:03 AM, RaidPC said:THIS is exactly what I have been looking for going on weeks. Before I get too excited, will Pi-hole which I already have installed work instead of using AdGuard home?Also, when you state Docker is installed and running, do you mean the Docker container from the Unraid Community apps? Not sure how Docker comes into play.When I run the syntax openssl req -x509 -new -nodes -key myCA.key -sha256 -days 10950 -out myCA.pem \ -subj "/C=DE/ST=NRW/L=Home/O=PrivateCA/OU=IT/CN=Home Root CA" I keep getting req:Extra option "/".I get the same error running openssl req -new -key home.lan.key -out home.lan.csr \ -subj "/C=DE/ST=NRW/L=Home/O=PrivateCA/OU=IT/CN=*.home.lan"I googled for an answer, but nothing specific has come upIt works completely fine for me using the Docker container from the Unraid Community Apps — there’s no need for any special setup. It also works perfectly with Pi-hole instead of AdGuard Home.Regarding your second issue: Unraid, BusyBox, Alpine and some shells require one‑line commands.Fix: Remove the backslash and run everything in one lineopenssl req -x509 -new -nodes -key myCA.key -sha256 -days 10950 -out myCA.pem -subj "/C=DE/ST=NRW/L=Home/O=PrivateCA/OU=IT/CN=Home Root CA" That should prevent the req: Extra option "/" error.I will adjust that in the guide, thank you for reporting the issue. Edited December 23, 2025Dec 23 by Pixelz_Namikaze
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.