I'm looking for advice on the best way to accomplish SSL cert integration with as much automation as I can provide. I have six separate, non-WAN facing servers that all need their own unique [subdomain] SSL cert, as well as a wildcard cert. My main dilemma is that since the servers are not WAN-facing, the DNS-challenge may not work.
Setup:
I use Namecheap* as both my registrar and DNS provider. My FQDN points to my router/firewall (pfsense). I do not have any A records configured with Namecheap for subdomains, though I have DNS entries in my DNS resolver in pfSense.
- Namecheap doesn't seem to have a way to allow me automated renewals, so I may look at moving to another DNS provider.
The servers reside across multiple VLANs, none of which are WAN-facing (no reverse proxy, NAT, etc). Most servers are allowed WAN traffic, however, two are firewalled off. I do occasionally provide access though for updates, and could possible script firewall changes to coincide with certificate renewals.
Questions:
What is the best way to approach this? Should I opt for automated HTTP-challenges only on the servers, then distribute the wildcard cert another way? Or would the DNS-challenge work with the current configuration, despite no A-records and NAT/reverse proxy? I could certainly create public A-records if needed that point to my IP.
If each server runs certbot and pulls down wildcard certs, are all of those wildcard certs unique? Or will subsequent servers pull down a duplicate of the initial wildcard cert?