[xfer]

Or use a wildcard cert for all internal certs.

[pridkett]

This is exactly what I do. After seeing how much of my internal network was exposed in certificate transparency logs, I noped out and just do a DNS challenge for a wildcard for almost everything.

Now it’s have a nice script that distributes my key automatically to 20 or so hosts and apps and have a real SSL cert on everything from my UDM Pro to my Synology to random Raspberry Pis running containers. Most of which have domain names that only resolve on my local network.

This is made possible by a fairly robust DNS setup that consists of not only giving A records to all my hosts automatically, but also adding in CNAMEs for services and blocking almost all outbound DNS, DNS over TLS, DoH, etc.

[dopp0]

> fairly robust DNS setup that consists of not only giving A records to all my hosts

looks nice, can you give more details on this? tks!

[ndsipa_pomu]

That could be a good idea, though it means that the certificate/key has to be well guarded.

[project2501a]

Please don't. Technical debt accumulates by force of practice.

[qwertox]

It's working good for me. My technical debt is to always make sure that I'm able to renew a certificate and that the distribution occurs successfully.

I don't see how other solutions are less problematic.