Let's Encrypt for local servers?

WhoIsJohnDoe · April 19, 2020, 9:25am

In the past I’ve used Let’s Encrypt with acme.sh dns to get certificates for simple web servers.
They were reachable from the internet over port 80/443 anyway.

Now I have a small home server where I plan to run many different services.
They are only reachable from my local network (10.0.0.0/24) but not from the internet.

However, I plan to use a subdomain of my ‘real domain’ for these services.
e.g. srv1.local.domain.tld, srv2.local.domain.tld, and so on.

Now I have some questions:

As far as I know for the acme.sh dns thingy it isn’t necessary to open port 80/443 to the internet? Am I right here?
I need to deploy these certificates to many local VMs (I guess 10+). How would I do that most efficiently?
- Do I run the acme.sh dns client on one server and copy the received cert over to the other servers? That would be bad because I need to do that manually on every renew.
- Or do I run the acme.sh dns client on every server with the same command? This would be easy to renew but wouldn’t I run in rate limit issues here?
I still have public services running on the same domain (without the local subdomain). Can I use a separate certificate for these subdomains (srv1.domain.tld, srv2.domain.tld, and so on) than for the local ones to not make my internal subdomains visible there?
Or should I use different certificates for each and every different subdomain? (Is that even possible?)

As you may see from this questions, I’m fairly new to SSL certificates and Let’s Encrypt.
Hope you can clarify this a little bit.

Thank you!

9peppe · April 19, 2020, 9:34am

No, you don't need to open ports for the dns-01 challenge.

This is up to you. The rate limits are 5/week on identical certificates (so it does not apply if the local servers each have a certificate with their hostname only) and 50/week per registered domain (renewals excluded), so it probably does not concern you. You can use Let's Debug Toolkit to see.

You can use as many certificates as the rate limits allow you. There are two most common use cases: one cert per subdomain/domain, and one cert per server. But you can mix and match as you wish.

Yes, it's possible and sometimes advisable.

WhoIsJohnDoe · April 19, 2020, 10:14am

I won’t need more than 50/week so I guess I’ll just use a separate cert for every local service.
Thank you!

9peppe · April 19, 2020, 10:22am

The full limits are explained here: Rate Limits - Let's Encrypt

This one might be concerning to you as well: (one account ~ one fresh install of certbot)

10 Accounts per IP Address per 3 hours.

system · May 19, 2020, 10:22am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
VMware Internal Servers Help	7	1011	July 14, 2019
2 servers, 1 IP/domain, running on a different port Help	4	564	May 12, 2021
Can your services be used in "only IP" servers? Feature Requests	6	950	August 25, 2018
Help Creating an ACME certificate for internal DNS over TLS Help	14	874	May 29, 2024
I need a ssl for my hosting, how can i do it Help	2	511	September 6, 2019

Let's Encrypt for local servers?

Related topics