Help Creating an ACME certificate for internal DNS over TLS

mrvmlab · April 28, 2024, 6:44pm

Creating an ACME certificate for internal DNS over TLS in pfSense. What method do I chose depicted in the screenshot attached, Any other suggestions would be helpful.

My domain is: myvmlab.net

I ran this command: pfSense 2.7.2

It produced this output: don't know yet

My web server is (include version): internal pfSense

The operating system my web server runs on is (include version): pfSense

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): pfSense ACME

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): pfSense ACME

Bruce5051 · April 28, 2024, 6:47pm

Hello @mrvmlab, welcome to the Let's Encrypt community.

Please see:

linkp · April 28, 2024, 11:44pm

This is not a case of wanting a certificate for localhost. This is a certificate for use with DoT, although I am not sure why an existing certificate cannot be used or why the challenge is not automated using Cloudflare.

I don't know what the question really is, or how it relates to Let's Encrypt. Maybe @mrvmlab can help us with some more relevant details.

Bruce5051 · April 28, 2024, 11:59pm

Yeah; I agree, but "... certificate for internal DNS ..." was perplexing me.

linkp · April 29, 2024, 12:10am

...resolver.

Whether or not it serves local data won't affect needing a valid hostname and matching certificate for DoT.

I use LAN subdomain wildcards exported from pfSense with the equivalent of a deploy-hook.

Bruce5051 · April 29, 2024, 12:18am

I was thinking of an internal test lab at a company that needs distributed DNS & TLS for testers.

mrvmlab · April 29, 2024, 1:02am

@linkp I will try to keep this short I am running pfSense and I have DNS over TLS setup for external DNS. That works great. I see where I can also with in pfSense offer DNS over TLS to my internal clients ( HomeLab ) It is not working internally and the only results as to why it may be is due to a certificate being the issue ( self singed ) So I wanted to issue a certificate based on my registered domain name with ACME and use that. How ever I did not know what Method to use under the Domain SAN list when filling in the Services>ACME>Certificate options Edit. So this very well may be a question for Netgate support rather then Let's Encrypt I am not 100% sure.

mrvmlab · April 29, 2024, 1:03am

Almost like that yet more of internal DNS over TLS forlocal LAN clients (homelab)

mrvmlab · April 29, 2024, 1:04am

Just a (homelab) trying to get local internal LAN clients internal DNS to be DNS Over TLS

Bruce5051 · April 29, 2024, 1:07am

Does need to be a certificate for TLS to be the public trusts?
Do you desire it to use a certificate for TLS that is in the public trusts?

orangepizza · April 29, 2024, 1:20am

if it can use domain name like android you can just use plain LE certificate: if you need a certificate for RAW IP address: LE doesn't offer it now. For public IP I think there is commercial CAs that are willing to sell you some: zerossl by api and google trust service comes to mind

schoen · April 29, 2024, 1:41am

Within a home lab, you usually don't need a publicly-trusted certificate like those issued by Let's Encrypt. You can likely issue your own certificate from your own internal certificate authority, and make the other devices on the network trust that authority.

Bruce5051 · April 29, 2024, 1:56am

That is correct @schoen; however I do not fully understand what the OP is exactly trying to accomplish and what they would like. Thus the reason for the question.

Bruce5051 · April 29, 2024, 2:10am

@mrvmlab if you are looking for your own lab ACME CA see My own certificate authority - #10 by danb35