Hi all, I’m currently running the following setup:
- registered domain .com
- Cloudflare
- A record for dynamic homelab IP (updated via pfSense)
- CNAME Alias entries for each service: …com
- pfSense
- domain: .com
- Let’s Encrypt wildcard certificate for *…com via ACME plugin
- HAProxy for mapping host names to services in my network and serving the LE certificate
- DNS Resolver host overrides for each …com entry for split DNS -> resolved to HAProxy
This has worked quite well for a couple of years now.
Clients (mostly me) see a Cloudflare certificate from outside the network (if CF proxy is active) or my own wildcard certificate from inside the network (or if CF proxy is disabled).
I’m currently preparing 3 new (virtualized) router/firewall installations in parallel: pfSense, OPNsense and Sophos.
Before I try to configure the new installations equally, I’d like to simplify my current setup. One small inconvenience is the number of places I have to add a new service to:
- Cloudflare CNAME Alias (optional, only for public availability)
- HAProxy backend (unavoidable)
- HAProxy frontend ACLs
- HAProxy frontend actions
- DNS Resolver host override
I’ve thought about using a wildcard override in the local DNS resolver in order to route all my service hostnames to HAProxy instead of listing each entry separately.
However, if I did this, all local host names would also be resolved to the same IP address, which is obviously not what I want.
Therefore I thought about changing my local domain to either .home.arpa or .lan.
Then I could resolve all *…com requests to HAProxy without influencing the host name resolution for my local machines.
Now I’ve tried to read up on *.home.arpa and similar local domain names and came across many people saying that it’s not possible to get a Let’s Encrypt certificate if you’re not using a ‘real’ domain. Now I’m unsure and I don’t feel like I really know what I’m doing anymore.
Is my situation different or does this limitation really apply in my case?
Do you have any comments? Would my setup still work if I changed the local domain to .home.arpa? Is there an alternative way to simplify my setup that you can think of?
Thanks in advance!
TL/DR: can I use ACME to get a wildcard certificate for *…com which will be served by HAProxy, even if my local domain is not .com?
You must log in or register to comment.
You need to provide proof of ownership of a domain in order for letsencrypt to issue the cert which is done via either an HTTP challenge where the domain in question resolves to a real HTTP server that has the challenge data available on it, or a DNS challenge where letsencrypt can see a TXT challenge record put there for the job.
I assume that I’m currently using the DNS challenge approach. The ACME plugin takes care of this by using my account information and API keys.
[ Removed by Reddit ]