This question is similar to the one here: LetsEncrypt for Behind Firewall / On Intranet but it’s different enough that I creating this new topic.
Consider the following network topology: I have a valid domain example.net, and I am using this domain as my “intranet” domain in a split-horizon config, i.e. I have an internal DNS server with all my intranet hosts, and an external one for the same domain, but without the internal hosts.
I’d like to be able to use the ACME HTTP-01 protocol on servers in my Intranet to deploy and update valid certificates for those internal machines. I’m OK with the names “leaking” through DNS and issuance logs, but I don’t want to open the internal machines to the Internet, so using HTTP-01 directly is not possible.
I can use DNS-01 for example.net with (for example) acme.sh to issue certs.
Is there a server/package/service that I could use to help deploy LE certificates to those internal machines? Ideally, there would be an ACME server I could point my internal machines to that knows how to do HTTP-01 challenges on the internal network, but use DNS-01 to issue certificates and pass them through to the actual client. Kind of an ACME proxy, so to speak.
Or is there another mechanism I could use that does not require extensive configuration on the internal machines? I do not want to use a self-signed cert or my own CA, and I want cert updates to be deployed without manual effort.