Making all my devices use my wildcard

First-time poster, novice human, huge set of questions:

I want to use my domain (dstaftn.org) for my home lab and web-facing blatherings. I have a VPS that is internet facing (Centos 7). I want to be able to use it for playing around with a bunch of stuff, but the primary goals are Asterisk (Freepbx), LAMP, Mail, VPN et. al. I also want to take advantage of DNSSEC

I have a small home lab with Windows 2019 Datacenter (Insider) with various other devices and computers, Linux, Windows, IOT et. al. I used to run a Pfsense box for my headend, but I had to change ISP’s due to price and their garbage LTE box will not do RNDIS or show up as a virtual ethernet device. (Long Story.)

I want to have all of these devices (where possible) have a branch of the *.dstaftn.org wildcard. I want to be able to set each device with a Let’s Encrypt cert, and everyone trusts each other, RDP, VPN, SSH, LDAP (Domain)… I would like to make it so that the centos box is a certificate store (I guess), letting it do the heavy lifting, and then making the clients update as necessary.

Right now I have the domain registered through Google, but I have been using Hurricane Electric’s DNS and IPv6 Tunnel’s because the providers I have haven’t figured out how to do all of that yet.

IS what I’m considering even possible? What are the High-level things I need to do/learn to get this going?

Thank you!

It should be. Broadly, what you'd need to do would be:

  • Obtain the cert for *.dstafn.org. This will require use of DNS validation, which acme.sh supports through Hurricane Electric.
  • Run split-horizon DNS on your network, configured that hostname.dstafn.org resolves to the desired system. Note that you can only use one level of wildcard on the cert, and the wildcard only covers one level of subdomain. Therefore, you can't get a cert for *.*.dstafn.org, and a cert for *.dstafn.org won't work for host.sub.dstafn.org.
  • Whenever the wildcard cert is issued or renewed, copy the cert and private key to all affected devices, converting the format if/when necessary.

The cert and private key are simply text files, and can easily be copied to wherever they'd be used. The second point would be best implemented, if possible, on the CentOS box, as that's the only place that's really going to know when a renewal has happened. Ideally, you'd be able to write a script to deploy the cert to your various internal devices--but this would obviously require your CentOS box to be able to access individual hosts on your LAN. Another possibility would be to have some resource on your LAN reach out to the CentOS box and grab the files, and then deploy them to the other devices. A third possibility would be for each device on your LAN to individually reach out to the CentOS box to get the certs. Depending on the capabilities of each of the devices, you may end up using a combination of all three methods.

You may also want to consider getting individual certs for your various devices by hostname--again, since your DNS provider is supported by acme.sh, this should be feasible without making those devices accessible to the Internet.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.