first of all a "hello" to the round, I am new here
A little about the configuration so far, please excuse the long preface. The real question you will find below
++ Background ++
I have a domain at Strato e.g. 'example.de'. For each host in my LAN to which I need HTTPS access I have created a corresponding subdomain at Strato e.g. cloud.lan.example.de'. At Strato I have enabled dynamic DNS for the subdomain.
On my pfSense I let update the current WAN IP of my pfSense automatically at Strato. Furthermore, I have set up the ACME plugin on the pfSense which takes care of the automatic renewal of certificates for all subdomains.
Also running on the pfSense is the HA proxy which receives incoming HTTPS requests, equips them with a trusted certificate and forwards the request to the appropriate internal server depending on the subdomain.
So only the pfSense has the Let's Encrypt certificate. The actual server in the LAN still has a self-signed certificate. However, the requesting client (external) does not notice anything because, as mentioned above, the pfSense accepts the connection. The pfSense opens for the certificate renewal time-controlled the port 80, so it is a HTTP-01 challenge.
So far this all sounds fine and works. But the fact that the servers in the LAN itself have a self-signed certificate becomes a problem when I or an application access the server via HTTPS.
I would like to illustrate this with an example. At Strato I have set up the subdomain 'media.lan.example.de' and included it in my configuration as described above. On the internal server 'media.lan.beispiel.de' runs my Jellyfin media server.
On the internal LAN I have Kodi & Jellyfin plugin running on my mini computer on my TV. Now when I configure 'media.lan.example.de' in Kodi it logically gets presented with a self-signed certificate and Kodi doesn't like that at all! It simply does not work.
As a stopgap solution, I set up a virtual network device at the pfSense, set up an additional subdomain and let the HA proxy listen to it. This routes the connection to the media server. Sounds good, but brings further disadvantages. The entire data stream runs through the pfSense which is of course anything but optimal with multiple stream clients
++ Question ++
I want the above configuration now so that each server itself has a trusted LE certificate. However, no port 80 into the LAN should be opened. As far as I have read this works with the DNS-01 challenge. As I could find out further, this must be supported by the provider.
At Strato itself I did not find any information if it is supported. In the web I found information that there is a way to realize it. It is probably not official.
Can someone tell me if it works and especially how?