Yep, now we have the 2038 year coming for Linux. It already got me, I didnt want to renew my home NAS certificate every year, so I thought I’d do a 30 year cert. Well after 2038 it rolled the date to the 1960s…
For your home NAS, I’d recommend using Let’s Encrypt with Certbot. You can use it for internal systems, as long as you have a real domain name. Use DNS verification instead of HTTP.
Many people (me included) like the appeal of a self signed cert in a small homelab. You basically get certificate pinning for free after you trust the cert on all clients.
With your idea, you either have to list a local IP in your public DNS record, or highjack your local DNS to point to the local IP. Both feel inelegant. And you have to give your NAS write access to your API key of your DNS registrar
With your idea, you either have to list a local IP in your public DNS record, or highjack your local DNS to point to the local IP. Both feel inelegant
The DNS records for your internal servers don’t have to be public - they can be only on an internal DNS server if you want to do that. Only the _acme-challenge subdomain has to be public. Let’s Encrypt does follow CNAMEs.
And you have to give your NAS write access to your API key of your DNS registrar
You can use a separate DNS server just for Let’s Encrypt, as it follows CNAMEs. I use acme-dns for this. Let’s Encrypt supports IPv6-only DNS servers so I have my acme-dns instance listening on an IPv6 address in the /64 range on one of my VPSes.
+1 to let’s encrypt and certbot, but pro tip: remember to actually set up certbot, or your friends will laugh at you when your systems all break 6 months later…
So when some Linux apostle is preaching how I need the salvation of Linux in my life, I’ll just tell them that I’m waiting for 2038, and then I’ll jump in AFTER the apocalypse.
Join now lest ye not be saved. 😀 32 bit time keeping is the issue, most systems are 64 bit now, so its just logistics / implementation issue now, not a technology problem
Yep, now we have the 2038 year coming for Linux. It already got me, I didnt want to renew my home NAS certificate every year, so I thought I’d do a 30 year cert. Well after 2038 it rolled the date to the 1960s…
Debian is ready - as of Debian Trixie (released in August 2025), all software in the official repo is being compiled with 64-bit time. https://wiki.debian.org/ReleaseGoals/64bit-time
For your home NAS, I’d recommend using Let’s Encrypt with Certbot. You can use it for internal systems, as long as you have a real domain name. Use DNS verification instead of HTTP.
Many people (me included) like the appeal of a self signed cert in a small homelab. You basically get certificate pinning for free after you trust the cert on all clients.
With your idea, you either have to list a local IP in your public DNS record, or highjack your local DNS to point to the local IP. Both feel inelegant. And you have to give your NAS write access to your API key of your DNS registrar
The DNS records for your internal servers don’t have to be public - they can be only on an internal DNS server if you want to do that. Only the
_acme-challengesubdomain has to be public. Let’s Encrypt does follow CNAMEs.You can use a separate DNS server just for Let’s Encrypt, as it follows CNAMEs. I use acme-dns for this. Let’s Encrypt supports IPv6-only DNS servers so I have my acme-dns instance listening on an IPv6 address in the /64 range on one of my VPSes.
+1 to let’s encrypt and certbot, but pro tip: remember to actually set up certbot, or your friends will laugh at you when your systems all break 6 months later…
Sadly the 32bit NAS is stuck at Wheezy, Jessie if you mess around, as the kernel is too big otherwise.
So when some Linux apostle is preaching how I need the salvation of Linux in my life, I’ll just tell them that I’m waiting for 2038, and then I’ll jump in AFTER the apocalypse.
Join now lest ye not be saved. 😀 32 bit time keeping is the issue, most systems are 64 bit now, so its just logistics / implementation issue now, not a technology problem