Hey folks,
I’m currently in the process of moving almost all of my internal services to use a local DNS challenge setup, and I’d love to get some feedback or tips from anyone who’s done something similar.
Here’s my setup so far:
• Reverse Proxy: Nginx Proxy Manager (NPM)
• DNS Provider: Cloudflare
• DNS Challenge Cert: I created a wildcard certificate in NPM using *.local.my.domain and local.my.domain (for internal subdomains) using the Cloudflare API integration.
• Cloudflare DNS Entries:
• A record: local → 192.168.2.80 (my NPM server IP)
• CNAME record: * → local (so that any *.local.my.domain subdomain resolves to the same internal IP)
Then, when I try to create a new Proxy Host in NPM like:
• Domain Name: sonarr.local.my.domain
• Forward Hostname/IP: sonarr (Docker container name)
• Forward Port: 8989 (default Sonarr port)
• SSL: I select the wildcard cert *.local.my.domain + local.my.domain
…but it doesn’t work. The SSL cert seems to not apply, or the host is unreachable.
Has anyone had luck doing something similar? Am I missing something in the DNS setup or maybe how NPM handles internal routing for Docker names?
Hello @sewshyi, welcome. 
Wildcard certificates are issued only using the DNS-01 challenge, thus all that is needed is access to the DNS from around the world for the challenge verification.
So HTTP/HTTPS forwarding does not come into play.
@sewshyi, also you can check the issued certificates with https://crt.sh/ like this crt.sh | community.letsencrypt.org and see the Matching Identities and Common Name for the domain names that a specific certificate covers.
Those are very different results. The first would only be known after reaching the server. The second is not reaching it at all.
How NPM handles the containers is a question best for the NPM support forum. For that matter, so is the question about setting up the new proxy host in NPM
3 Likes
i fixed it. it so stupid. when i added the proxy host for the domain, inserted wildcard certtificate etc... it couldnt resolve the domain better said the service. i turned „Block Common Exploits“ on and it worked. i dont know why chatgpt said this:
The “Block Common Exploits” option in NGINX Proxy Manager enables a set of security rules and headers that protect against common web attacks. It helps by:
Blocking suspicious or malformed requests
Enforcing stricter HTTP headers (like Content Security Policy, X-Frame-Options)
Preventing potentially harmful request patterns
Ensuring proper handling of HTTP headers and redirects
Enabling this option makes the proxy behave more securely and consistently, which often fixes weird issues with web apps behind the proxy—especially those using authentication or custom headers.
took 2 days of troubleshooting for this...i cant anymore
You were using a wildcard cert so the DNS Challenge was required. The Let's Encrypt Server does not send you any HTTP requests for that. It only queries your DNS (Cloudflare).
Any specialized HTTP headers could not have affected that. It may have resolved something else but, again, maybe posting this on NPM forum would help others avoid whatever that was.
4 Likes
