Let's Encrypt for local servers?

In the past I’ve used Let’s Encrypt with acme.sh dns to get certificates for simple web servers.
They were reachable from the internet over port 80/443 anyway.

Now I have a small home server where I plan to run many different services.
They are only reachable from my local network (10.0.0.0/24) but not from the internet.

However, I plan to use a subdomain of my ‘real domain’ for these services.
e.g. srv1.local.domain.tld, srv2.local.domain.tld, and so on.

Now I have some questions:

  • As far as I know for the acme.sh dns thingy it isn’t necessary to open port 80/443 to the internet? Am I right here?
  • I need to deploy these certificates to many local VMs (I guess 10+). How would I do that most efficiently?
    • Do I run the acme.sh dns client on one server and copy the received cert over to the other servers? That would be bad because I need to do that manually on every renew.
    • Or do I run the acme.sh dns client on every server with the same command? This would be easy to renew but wouldn’t I run in rate limit issues here?
  • I still have public services running on the same domain (without the local subdomain). Can I use a separate certificate for these subdomains (srv1.domain.tld, srv2.domain.tld, and so on) than for the local ones to not make my internal subdomains visible there?
  • Or should I use different certificates for each and every different subdomain? (Is that even possible?)

As you may see from this questions, I’m fairly new to SSL certificates and Let’s Encrypt.
Hope you can clarify this a little bit.

Thank you!

1 Like

No, you don’t need to open ports for the dns-01 challenge.

This is up to you. The rate limits are 5/week on identical certificates (so it does not apply if the local servers each have a certificate with their hostname only) and 50/week per registered domain (renewals excluded), so it probably does not concern you. You can use tools.letsdebug.net/cert-search to see.

You can use as many certificates as the rate limits allow you. There are two most common use cases: one cert per subdomain/domain, and one cert per server. But you can mix and match as you wish.

Yes, it’s possible and sometimes advisable.

1 Like

I won’t need more than 50/week so I guess I’ll just use a separate cert for every local service.
Thank you!

1 Like

The full limits are explained here: https://letsencrypt.org/docs/rate-limits/

This one might be concerning to you as well: (one account ~ one fresh install of certbot)

10 Accounts per IP Address per 3 hours.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.