My domain is: atal.cc
My web server is (include version): can be nginx if required
The operating system my web server runs on is (include version): linux (various versions)
My hosting provider, if applicable, is: na, but domain provided by namecheap
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I see this as a common usecase but with no clear solution. Apologies if redundant.
I own a domain name (as above). I only use it internally on my home network (eg apps.atal.cc, fileserver.atal.cc, workstation.atal.cc etc). Some of these point to web apps. There are only a handful of these (currently 5, maximum 20 in the far far future maybe) and hostnames are fixed and known.
To avoid browser messages and for just best practice I want to use CA SSL for these webapps. I would want this to be as hands off as possible, so renewals should be scriptable. I am happy to use a wildcard domain if that makes sense.
- Does every solution require a webserver listening specifically on port 80? I read about DNS-01 but that seems to need an accessible site too?
- With the DNS-01 solution, it is just a set once and forget, or is a new DNS edit required each renewal?
- With a wildcard domain, I presume one server would be tasked with renewal. Is it my responsibility to distribute that cert to my various internal servers or is there a cleverer way to set the individual servers once?
- If not, and thus it makes more sense for each host to have its own cert and renewal process, do they each need to have their own accessible webserver, or can I set up a single one for all of them?
As I say this seems to be a common usecase with multiple (sometimes outdated) replies, so any current information would be appreciated.