How to approach setting up wildcard + subdomain certs for multiple servers

I'm looking for advice on the best way to accomplish SSL cert integration with as much automation as I can provide. I have six separate, non-WAN facing servers that all need their own unique [subdomain] SSL cert, as well as a wildcard cert. My main dilemma is that since the servers are not WAN-facing, the DNS-challenge may not work.

I use Namecheap* as both my registrar and DNS provider. My FQDN points to my router/firewall (pfsense). I do not have any A records configured with Namecheap for subdomains, though I have DNS entries in my DNS resolver in pfSense.

  • Namecheap doesn't seem to have a way to allow me automated renewals, so I may look at moving to another DNS provider.

The servers reside across multiple VLANs, none of which are WAN-facing (no reverse proxy, NAT, etc). Most servers are allowed WAN traffic, however, two are firewalled off. I do occasionally provide access though for updates, and could possible script firewall changes to coincide with certificate renewals.

What is the best way to approach this? Should I opt for automated HTTP-challenges only on the servers, then distribute the wildcard cert another way? Or would the DNS-challenge work with the current configuration, despite no A-records and NAT/reverse proxy? I could certainly create public A-records if needed that point to my IP.

If each server runs certbot and pulls down wildcard certs, are all of those wildcard certs unique? Or will subsequent servers pull down a duplicate of the initial wildcard cert?

Hi @ultima,

Using the DNS challenge is required by Let's Encrypt policy for issuing wildcard certificates. Conveniently for your situation, it specifically does not require either that the underlying servers are reachable from the Internet, or that there be any other public DNS records for the associated domain. So it should work just fine for your situation, as long as you can get a way to do API-based DNS updates.

Each one would be separate (and count against your weekly issuance rate limits). So you might also want to think about a way to script distribution of the same certificate and key among your servers.


I use the pfSense ACME client to obtain wildcard certificates for internal hosts. You will need to enable some settings in the pfSense ACME service. You will also need to work out your distribution strategy. I find SSH keys and rsync are useful components, especially when tied in with scripts on the target hosts.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.