In the past I’ve used Let’s Encrypt with acme.sh dns to get certificates for simple web servers.
They were reachable from the internet over port 80/443 anyway.
Now I have a small home server where I plan to run many different services.
They are only reachable from my local network (10.0.0.0/24) but not from the internet.
However, I plan to use a subdomain of my ‘real domain’ for these services.
e.g. srv1.local.domain.tld, srv2.local.domain.tld, and so on.
Now I have some questions:
- As far as I know for the acme.sh dns thingy it isn’t necessary to open port 80/443 to the internet? Am I right here?
- I need to deploy these certificates to many local VMs (I guess 10+). How would I do that most efficiently?
- Do I run the acme.sh dns client on one server and copy the received cert over to the other servers? That would be bad because I need to do that manually on every renew.
- Or do I run the acme.sh dns client on every server with the same command? This would be easy to renew but wouldn’t I run in rate limit issues here?
- I still have public services running on the same domain (without the local subdomain). Can I use a separate certificate for these subdomains (srv1.domain.tld, srv2.domain.tld, and so on) than for the local ones to not make my internal subdomains visible there?
- Or should I use different certificates for each and every different subdomain? (Is that even possible?)
As you may see from this questions, I’m fairly new to SSL certificates and Let’s Encrypt.
Hope you can clarify this a little bit.