There is one static webpage that I won't put HTTPS on; the dashboard of my pi.hole.
Though it's more of an architectural decision as it enables the DNS server to blackhole HTTPS more effectively (since it just gets a CONNREFUSED back).
Really, it's an exception to the rule and only because I can't ask my guests to install my pihole CA on their devices (many of which don't support that stuff anyway).
Well and there is that other website but the prime directive forbids that I mention it...
You can buy a domain name and do DNS auth. Requires no open ports and you'll get a trusted cert for that one Pi. I did it for mine (but with SNI verification).
Pi.hole, it's only local and there is a reason it doesn't open port 443 and only works on 80. On a local non-wireless LAN this is not a concern in my threatmodel.
Though it's more of an architectural decision as it enables the DNS server to blackhole HTTPS more effectively (since it just gets a CONNREFUSED back).
Really, it's an exception to the rule and only because I can't ask my guests to install my pihole CA on their devices (many of which don't support that stuff anyway).
Well and there is that other website but the prime directive forbids that I mention it...