| ▲ | LiamPowell 3 days ago | |||||||
> You want private DNS to private IPs Nothing stops you getting a cert while pointing your DNS records to internal addresses. The DNS-01 challenge exists to serve exactly that kind of configuration. > lots of ISPs won't even serve your private IPs through their DNS caches I have never seen this, could you give an example? However, if this is an issue then there's nothing stopping you from just using your public DNS for DNS-01 challenges and using your internal DNS for everything else. It is also impossible for your ISP to do this if you're using DoH or DoT, which you really should be, especially if you already know that your ISP is messing with DNS traffic. > You want subsigning CAs for your VPN, contractor services, websites, teams, etc. You can't do this, but you can have your own ACME server that forwards requests to a public CA if you really need to let different teams manage their own certs. A better option is probably to use one of the paid CloudFlare tiers where you can create scoped API keys that provide DNS editing access scoped to a subdomain, or you could of course host your own DNS server or find a different DNS provider that offers this service. | ||||||||
| ▲ | cj 3 days ago | parent | next [-] | |||||||
We have a team who uses a ".dev" domain for local development (with a publicly issued SSL cert), with an A record of 127.0.0.1. We had someone new join the team and couldn't get the dev environment working. Turns out his ISP's DNS wouldn't resolve to an internal IP. Simple fix was updating his system DNS away from his ISP. We only saw this happen to one person, so wouldn't say it's common but it happens. | ||||||||
| ||||||||
| ▲ | devrand 3 days ago | parent | prev [-] | |||||||
You could also use the `_acme-challenge` CNAME record to delegate cert acquisition, assuming you're using separate subdomains for each. | ||||||||