Best practice - one IP but few servers


I’m hosting few servers at home and I’ve only one IP (dhcp-dynamic).

My setup looks like that:

| |
| WAN |
| pfSense |
| Proxmox |
| Webserver | NextCloud | Blog | CDN | Backupserver |

So, what’s the common way to equip all services with certificates?

I would like to setup SSL certs on:

Webserver, NextCloud, Blog, CDN and on the Backupserver

All Servers running on Proxmox as a VM.

Thanks in advance!


What’s the hostnames of the website??

Is it in one domain (e.g subdomain1~3.domain.tld) or it’s using dyn’s domain?

Thank you

The hostnames are:

I’m using a own domain (.ch)

Then you can use a wildcard certificate.

You can follow this guide to use or certbot to obtain a tls certificate:

Hm… Is that not only for the Proxmox PVE?
I would like to add the certificates to the VM’s on Proxmox.
I don’t need a certificate for the PVE.

Maybe my question is a bit unclear.
How can I install certs on my hosts an update them automatically when I’ve only one WAN IP and my network is protected by a pfSense?

I can setup the certs manually by setting up firewall rules temporary, but I don’t wanna do that every 3 months for every server. Yes, it takes just 10 minutes per server, but I don’t wanna do that. It must be a way to automate that.

btw. my setup isn’t public.

Maybe I’m looking for something like a SSL Proxy or something?
But I’ve no idea what’s best practice in this situation.

Are those hosts accessible from the outside? Do you want them to be? If the answers are "no" and "no", you have a couple of basic options: (1) get the certs on your pfSense box, and script a way to deploy them to your other hosts; (2) install a suitable client on each of the other hosts, and use DNS validation to get the certificate; (3) get a wildcard cert on any one of the systems (the pfSense box, the Proxmox host, or any of the other machines), and copy it to each of the other hosts. I'm doing #2 on my home network.

Since all of your services are on the the same physical machine, you can set up your Webserver to get certificates and handle TLS for them, treating those services as backends. For Apache you would use the “ProxyPass” directive, and for Nginx you would use the “proxy_pass” directive. You would then run an ACME client on your Webserver VM to renew and install certificates periodically. That ACME client should support DNS challenges in order to work behind your firewall.

Solution 2 sounds good but is it practicable? How does you renew your certs? Manually? Or are you using a special certbot with API support for I would like to know more about your solution!

Hm… That sounds good, but probably it will be a lot of work and I’m not a “Pro”. That sounds like it will consume all my time to get into. Or is there a tutorial for dummies?

I'm using neither certbot nor I use in this application, and Cloudflare for my DNS. But it looks like supports the API:

Wow, that sounds good!
Thank you for your help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.