Installing a Let's Encrypt TLS certificate on a Brother printer with Certbot

lousken

why bother with tls, stick it on a separate vlan, lock down all the traffic

justin_oaks

I read a lot about people running things like Caddy which will automatically retrieve Lets Encrypt certificates. And I think it makes sense for publicly accessible web sites since you can use an HTTP challenge with Let's Encrypt. For internal-use certificates, you'll have to make use of a DNS challenge with Let's Encrypt. I've been hesitant to set that up because I'm concerned about the potential compromise of a token that has permissions to edit my DNS zone. I see that the author creates exactly that kind of token and has permanently accessible to his script. For a home lab where he's the only person accessing his hardware, that's less of a concern. But what about at a company where multiple people may have access to a system? Am I being too paranoid here? Or is there a better way to allow DNS challenges without a token that allows too much power in editing a DNS zone?

mdhowle

DNS-PERSIST-01 is coming soon https://letsencrypt.org/2026/02/18/dns-persist-01

captn3m0

I own a Brother printer and was curious how the upload worked. Apparently, it is just screenscraping the CSRF token[0], and submitting the cert upload form[1] in the printer's admin web interface. It needs the printer's admin credentials for the upload to work. [0]: https://github.com/gregtwallace/brother-cert/blob/main/pkg/p... [1]: https://github.com/gregtwallace/brother-cert/blob/main/pkg/p...

yawniek

did a similar thing for reolink cameras and mikrotik devices. since i run a small k8s cluster i made it a k8s controller that picks up the certs. works really nicely

yegle

You should have used the `--deploy-hook` on certbot. I use this to copy the cert to Synology NAS and trigger a reload of the cert on the NAS. BTW: The easiest way to run certbot in a container is to mount a renew script (some shell script as simple as `certbot renew`) to /etc/periodic/daily/renew, then change the container's entrypoint to `crond -d6 -f`.

jijji

you could probably get away with just running nginx with certbot on the front end of that domain name and then have it proxy back to a script that talks to the brother printer on the back end of it to do printing, although I'm not sure why you'd want to print via the public internet

intsunny

Even before I clicked on the article, I had a strong feeling this person was using CloudFlare DNS and the related API. (They are.) Given the immense popularity of Cloudflare DNS + API + ACME DNS-01 challenge, why are not other DNS providers stepping into this foray?

bob1029

ACME+LE is definitely the future. I've built some custom AspNetCore middleware that completely owns the entire thing. I tried win-acme and other clients but they aren't in the same room of convenience. All I need to provide is the desired hostname to the middleware and ensure traffic destined for that FQDN winds up at the server. HTTP-01 is used to verify, so I don't have to screw with anything other than an A record. If the hostname is null, it issues an IP address certificate instead using Amazon's public IP lookup service to derive the appropriate SAN. Certs are automatically refreshed when they are within 48 hours of expiration, and the actual swap is a X509Certificate2 reference being updated. It's about as trivial as it gets. None of the libraries/CLI tools I attempted support anything like this experience. This is what originally put me off to the ecosystem and the idea of short lived certificates. The automation can't just be "sufficient". It needs to be "fucking incredible". $12.95/yr is not that expensive to me if the alternative is getting sucked into hours and hours of someone else's idea of a good time.

sgt

For some reason I read "Brothel Printer". Would have been funny.

sigio

This got me to finally put effort into upgrading the firmware on my brother printer, which was still running stock firmware. There was only a password-entry, and that didn't let me access anything. After running Brothers updater in a VM, and sharing the usb-device, I managed to upgrade the printer. However, still no login, and now I need to get it reconnected to my wifi, ugh. Try entering a long wifi-password via the 1-line lcd and 2 buttons on the printer, what a nightmare. (No way to configure via usb). Oh well, I still have a couple of days before I need to print a bunch of documents, so there goes the weekend ;)

gerdesj

I've spent quite some time on this stuff. acme.sh is my recommendation for Linux and anything else that runs a BASH or similar (pfSense has a glorious integration for it) and Simple ACME for Windows. Both support dynamic DNS with CNAME. Certbot doesn't support CNAME for DNS-01 or at least didn't. I was always a fan of Certbot when all I had was http style challenges available. Setup a DNS server with a zone called (say) challenges.example.co.uk. You will need to own example.co.uk and add NS glue records for the sub zone. You'll need to sort out dynamic DNS too for that zone. Now you can create a CNAME record like: _acme-challenge.mywebserver.mywebdomain.co.uk. CNAME _acme-challenge.challenges.example.co.uk Now you configure your acme.sh or simple acme to put its challenge into challenges.example.co.uk - it will create a TXT record and things should work out. It is a lot easier, if you can, to run your own public DNS or subscribe to a DNS service that does everything for you.

chka

This is the kind of absurd-but-useful thing I love about self-hosting. Next step: mTLS between the printer and the NAS.

whalesalad

This is a monumental amount of work for no gain at all. The self signed cert doesn’t mean the comms to the printer UI are insecure. It’s still https. Better yet that’s going through WireGuard encryption. If god forbid this printer was actually on the public internet this would make sense.