I have 2 (potentially 3) servers on my LAN (dev, test, prod) that have nginx on port 80. I want a wildcard *.domain.net certificate to be shared, but my understanding is that I can only forward port 80 (incoming requests) to one of these servers. Yet I'd like to use certbot for certificate management.
What are my options? Seems like prod should use the standard port, with certbot configured for that server (prod - production), and then manually copy the certs to dev and test.
Why not setup a reverse proxy in front of your 3 servers? That way, you could setup the wildcard certificate only on that server and do host-based routing to your LAN hosts.
Otherwise, a wildcard certificate can only be obtained by the DNS challenge (https://letsencrypt.org/docs/challenge-types/). As such, forwarding port 80 is not required to obtain it. It's probably better to obtain 3 different certificates than trying to share one across 3 hosts.
Use SNI to separate the traffic.
Yes, initially, only one IP will receive the HTTP requests; But it can proxy to the others (provided that they each have unique names).
OR add another system to do that (as _az suggested).
I'm working with @kirkroyster on this. For context, we're operating with a SonicWall firewall. So, I imagine we can do something in there. I just haven't learned what that is, yet!