Unfortunately some apps require the certificate be bound to the internal application, and need to be done so through cli or other methods not easily automated. We could front load over reverse proxy but we would still need to take the proxy cert and bind to the internal service for communication to work properly. Thankfully that’s for my other team to figure out as I already have a migration plan for systems I manage.
They are going down to 200 day expiration in March 2026. You can still buy 5 year certificates today but you still need to reissue them in 365 day cadence.
I’m in the same boat here. I keep sounding the alarm and am making moves so that MY systems won’t be impacted, but it’s not holding water with the other people I work with and the systems they manage. I’m torn between manual intervention to get it started or just letting them deal with it themselves once we hit 45 day renewal periods.
While I agree for my personal use, it’s not so easy in an enterprise environment. I’m currently working to get services migrated OFF my servers that utilize public certificates to avoid the headache of manual intervention every 45 days.
While this is possible for servers and services I manage, it’s not so easy for other software stacks we have in our environment. Thankfully I don’t manage them, but I’m sure I’ll be pulled into them at some point or another to help figure out the best path forward.
The easy path is obviously a load balanced front-end to load the certificate, but many of these services are specialized and have very elaborate ways to bind certificates to services outside of IIS or Apache, which would need to trust the newly issued load balancer CA certificate every 47 days.
No wonder they are trying to suppress women’s ability to vote again. I’m fairly certain women outnumber men just given by a statistical outcome of X vs Y chromosome at birth. I’m not certain but there’s probably a statistical study somewhere out there that a left leaving woman married to a right leaning man will vote right due to proximity. I’ve seen the former example in real life many times over sadly.
Welcoming the incoming dowvotes for correcting your comment just like the many similar comments and posts I’ve seen on Reddit, but this is purely a configuration issue.
Transcoding on local network is allowed without a subscription. If you are running your own DNS server (like pihole or unbound) you need to configure an internal “plex.direct” record. You also need to uncheck an option to “treat your WAN IP as internal” option which corrects double NAT issues.
I have yet to see a need to move away from Plex. I paid for the cheap lifetime sub over a decade ago at this point and everyone I invite to my server has no complaints and has not had to pay Plex a dime. I don’t use their plex.tv proxy, I direct connect to my own IP and leave their remote proxy option off in the server and everything works great.
I will check out Jellyfin at some point if Plex makes things more difficult in time, but for now these articles are literally just rage bait in the homelab ecosystem. They enacted this back in April of 2025 already!
It’s always DNS
Yeah, both are on the list but kids take a lot of time away! We have a hefty life insurance policy right now at least. I know trust needs established for at least 5 years to be considered enforceable.
Yup. Our family grew 5 years ago so we needed a bigger house. Well, didn’t “need” but would have to remodel the old to accommodate. We were within our means before moving. Still are in the new house but budget is a lot tighter than it was in the bigger house. Didn’t realize until hindsight that “bigger house, bigger (more expensive) problems” would occur.
We could move again and make a good profit on the house now, but I see it as an asset for future income down the road, although as my parents and aquantisces parents age, I’m learning more and more that at least in the USA, they take everything you’ve worked for away from you once you can slave no more. I’m going to do my best to protect my assets for my family before it comes to that.
It does take quite a bit of upkeep, especially if you don’t use it frequently. I recently found my instance broke due to a bad addon, and then Authelia also broke because NC decided thier OIDC addon is not supported on the latest v32. I was able to re-enable without issue, but still flagged as unsupported.
Sounds like I’m talking myself into Immich already haha.
The issue for me is that Nextcloud has these features as well with App add-ons. I have yet to try Immich because what’s more important for me is the actual backup\upload of my photos than actually browsing them. Maybe someday, but my self hosting initiatives typically involve me chasing a shiny red ball of a deployment, and Immich just isn’t shiny enough for me yet.
Just buy a domain for 10-20 a year and host a dynamic IP updater internally. Just another layer to self hosting and getting off cloud services entirely.
At least you can still program those remotes though. Mine is still going strong after many years.
This is the one I went with along with a supermicro server board. The company has been great as I’ve already needed replacement rack screws and a new control board due to my own foolishness. They shipped me replacements at no charge very promptly.
Same recommendation here. I went through two QNAP units before being fed up and building my own 12 Bay for about 1200. My first QNAP died shortly after the 3 year warranty expired and the second died shortly before. I was able to RMA the second and sell it to recoup some money towards building my own TrueNAS system that I can now fix myself and not rely on proprietary anything.
Yeah, now think of how many 1x1 pieces there are in here that adds to piece count. As I’ve built a few more sets recently, the amount of 1x1 is rediculous given they could use 2x1 or 3x1 in many situations I’ve seen their usage in. And it’s in almost every single set.
I was a little unfair in my post towards Proxmox. It really is a great solution and I can’t really complain, but it sucks in comparison to ESX where many “custom” items are still hidden in the cli or custom configuration items,. Many of these things are available in the GUI in ESX which is a pretty rough translation for some that have worked in ESX for many years like myself. ESX isn’t without it’s CLI moments but they are rarely ever needed, and if needed only for drastic measures.
The UI is not very intuitive and really looks quite dated too. ESX, Nutanix and XCP-NG have much better interfaces imo, and if Proxmox could throw some of that extra money they’ve earned from the VMware exodus in their UI it would be worthwhile.
Again, I shouldn’t complain but as I get older there’s not much “tinkering” time anymore, and the less time I have to sift through forum posts or official documentation on why something isn’t working as intended, the more easily frustrated I get.
Don’t go Podman. When I started years ago I installed Fedora with the “containerization” option. This installs podman, not docker as I’m sure most know. I did not.
Podman works great for the most part, but it’s slight differences from docker will have you fighting tooth and nail for certain services to work correctly. And not many (if any at all) have any documentation on getting their containers working with Podman of they don’t start. If you make a GitHub issue asking why or how to get things running in Podman because their docker stack doesn’t work flawlessly like it will in docker, good luck getting help (Mailcow comes to mind specifically here).
Looking back, this decision really shoehorned some very fundamental ideals about containers in my mind, but it was a long fought road I would not choose again. The knowledge I gained about containers with docker would have come soon enough on the easy road.
And yes, you can install Docker on Fedora, but I was much too far down the Podman track before finding out. My environment has changed drastically as of late and most things have been migrated to docker apps in Truenas now, living directly next to their storage as intended (the arr stacks really take a performance hit running their databases over NFS once you have a lot of media for example).
Quick note about Proxmox after coming from ESX myself - it sucks compared to ESX. I’ve tried to move away from it and Nutanix was the closest I could find to ESX, but after my server started complaining it’s drives were not compatible I jumped ship to avoid any write damage to them. I’m downsizing my lab now, I have proxmox running in 3 small NUCs with CEPH storage share and it’s working pretty good. Would love to run ESX or Nutanix instead, but they require a loaf of bread in resource requirements where proxmox only needs a slice of bread in comparison.
Easily the 90s when Clinton wiped the USA debt away to a clean slate, and Bush immediately made it worse with Iraq in his next term. I’m speaking loosley, but assume that’s when this all started based on your question.
One such app I can think of would be a client side issue. If the public cert doesnt match the back end private cert it will sever the connection and mark it as insecure. Hopefully I won’t need to deal with it much longer though.
I just heard back from my other team that “this project sounds great for your team” even though they manage many of their own apps and certificates. Perhaps I should just let them burn then!