Hi all, I’m currently running the following setup:

  • registered domain .com
  • Cloudflare
    • A record for dynamic homelab IP (updated via pfSense)
    • CNAME Alias entries for each service: …com
  • pfSense
    • domain: .com
    • Let’s Encrypt wildcard certificate for *…com via ACME plugin
    • HAProxy for mapping host names to services in my network and serving the LE certificate
    • DNS Resolver host overrides for each …com entry for split DNS -> resolved to HAProxy

This has worked quite well for a couple of years now.
Clients (mostly me) see a Cloudflare certificate from outside the network (if CF proxy is active) or my own wildcard certificate from inside the network (or if CF proxy is disabled).

I’m currently preparing 3 new (virtualized) router/firewall installations in parallel: pfSense, OPNsense and Sophos.
Before I try to configure the new installations equally, I’d like to simplify my current setup. One small inconvenience is the number of places I have to add a new service to:

  • Cloudflare CNAME Alias (optional, only for public availability)
  • HAProxy backend (unavoidable)
  • HAProxy frontend ACLs
  • HAProxy frontend actions
  • DNS Resolver host override

I’ve thought about using a wildcard override in the local DNS resolver in order to route all my service hostnames to HAProxy instead of listing each entry separately.
However, if I did this, all local host names would also be resolved to the same IP address, which is obviously not what I want.

Therefore I thought about changing my local domain to either .home.arpa or .lan.
Then I could resolve all *…com requests to HAProxy without influencing the host name resolution for my local machines.

Now I’ve tried to read up on *.home.arpa and similar local domain names and came across many people saying that it’s not possible to get a Let’s Encrypt certificate if you’re not using a ‘real’ domain. Now I’m unsure and I don’t feel like I really know what I’m doing anymore.
Is my situation different or does this limitation really apply in my case?
Do you have any comments? Would my setup still work if I changed the local domain to .home.arpa? Is there an alternative way to simplify my setup that you can think of?

Thanks in advance!

TL/DR: can I use ACME to get a wildcard certificate for *…com which will be served by HAProxy, even if my local domain is not .com?

  • SomethingAboutUsersB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    You need to provide proof of ownership of a domain in order for letsencrypt to issue the cert which is done via either an HTTP challenge where the domain in question resolves to a real HTTP server that has the challenge data available on it, or a DNS challenge where letsencrypt can see a TXT challenge record put there for the job.

    • pprobaOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I assume that I’m currently using the DNS challenge approach. The ACME plugin takes care of this by using my account information and API keys.