My web server is (include version): can be nginx if required
The operating system my web server runs on is (include version): linux (various versions)
My hosting provider, if applicable, is: na, but domain provided by namecheap
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I see this as a common usecase but with no clear solution. Apologies if redundant.
I own a domain name (as above). I only use it internally on my home network (eg apps.atal.cc, fileserver.atal.cc, workstation.atal.cc etc). Some of these point to web apps. There are only a handful of these (currently 5, maximum 20 in the far far future maybe) and hostnames are fixed and known.
To avoid browser messages and for just best practice I want to use CA SSL for these webapps. I would want this to be as hands off as possible, so renewals should be scriptable. I am happy to use a wildcard domain if that makes sense.
Does every solution require a webserver listening specifically on port 80? I read about DNS-01 but that seems to need an accessible site too?
With the DNS-01 solution, it is just a set once and forget, or is a new DNS edit required each renewal?
With a wildcard domain, I presume one server would be tasked with renewal. Is it my responsibility to distribute that cert to my various internal servers or is there a cleverer way to set the individual servers once?
If not, and thus it makes more sense for each host to have its own cert and renewal process, do they each need to have their own accessible webserver, or can I set up a single one for all of them?
As I say this seems to be a common usecase with multiple (sometimes outdated) replies, so any current information would be appreciated.
DNS-01 does not need a reachable web server, since it's totally independent from web servers.
It's requiring you to have a queryable DNS servers, not necessarily reachable web servers.
It's a different DNS edit / record Everytime you request a validation, so every token is different when you renew.
It's clearly your responsibility to distribute the certificate across your infrastructure, but you could consider putting it on a shared drive and attach the network drive to all servers.
If you use DNS validation, no accessible web server is required, but your DNS server must be queryable (e.g. digging from outside your network could return the CA needed TXT record)
You could create one certificate and distribute across your infrastructure, or generate one certificate for each server. Since the certificate duration is short, you must setup auto renewal to make sure there's no interruptions to your experience (e.g. certificate expired error)
Please be aware of the rate limits from let's Encrypt.
Thank you for the clarifying response! Very helpful.
So it sounds like the real requirement to make this work automatically (be it via wildcards or individually) is the ability to programatically update the DNS record (with the token obtained from LE). Is that right?
So it seems that Namecheap has issues in updating DNS entries via an API (ranging from “slow” to “not possible”).
The workaround appears to use another nameserver (while keeping Namecheap as your registrar if required). The following uses cloudflare, for example: