I’ve been working with Ubuntu server before and managed to get a basic setup running. Now I’m switching to Fedora server because I like its features better.
I’m trying to configure NPM (Nginx Proxy Manager) inside podman containers. My goal is to serve applications over HTTPS but only for internal network access and my Tailnet users. I don’t need public internet access right now.
I have a Pi-hole setup that can handle local DNS pointing. The main challenge I’m facing is getting SSL certificates to work properly without browser warnings. I have my own domain name and can manage DNS records through Cloudflare if needed.
I’ve attempted different approaches including NPM with LetsEncrypt and also tried SWAG container. Nothing seems to work smoothly. My previous home server used direct Nginx with LetsEncrypt on the host system and that worked fine.
Should I go back to host-based Nginx setup instead of containers? What’s the best approach for internal HTTPS with proper certificates? Any guidance would be helpful.
Honestly, I’d skip nginx/traefik and go with Caddy for internal stuff. It handles SSL automatically and it’s way simpler to configure than NPM. Works great with Cloudflare DNS challenges and Podman containers. Fedora’s SELinux won’t give you as much trouble either. Just make sure your Podman network allows DNS resolution and you’re good to go.
Stick with containers - don’t abandon that approach. You’re probably hitting certificate validation issues inside the container environment. I ran into the same thing moving from Ubuntu to Fedora with containerized reverse proxies. Since Cloudflare handles your domain, switch to DNS-01 challenge instead of HTTP-01. This works great for internal networks because validation happens through DNS records, not web server access. NPM has built-in support for Cloudflare DNS challenges via API tokens. Create a Cloudflare API token with Zone:Read and DNS:Edit permissions, then set NPM to DNS challenge mode. No need to expose external ports and it works perfectly with internal-only services. You’ll get properly signed LetsEncrypt certificates that all browsers trust. Just make sure your Podman containers can resolve external DNS for the ACME challenge. I had to fix some Fedora firewall rules that were blocking container DNS resolution. Once I sorted that out, certificate generation became fully automated.
Containerized approach is definitely worth it, but try Traefik instead of NPM for this. I switched from NPM to Traefik on my Fedora setup and it handles internal SSL way better. Traefik auto-generates certificates for internal services and works better with Podman’s networking. Since you’ve got Cloudflare managing your domain, use Traefik’s automatic certificate resolver with Cloudflare’s DNS provider. Way more straightforward than NPM’s interface for DNS challenges. Watch out for SELinux on Fedora - it’ll mess with container certificate storage. Make sure your certificate volumes have proper SELinux context or you’ll get permission errors during cert generation. Also check that your Podman containers run in the same network namespace if they need to talk to each other. This setup’s been rock solid for my internal services through Tailscale.