| ▲ | EvanAnderson 3 hours ago | |
The relative proximity of the words "done right" and "split-horizon DNS" makes my insides hurt a little bit. Use DNS validation to allow these internal services to pull ACME certs. There's so much less headache, long-term. Split-horizon DNS (and the tedious make-work it can create when you start needing to mirror public-accessibly records in the private DNS) has always been something to aspire to move away from in my experience. | ||
| ▲ | stock_toaster 30 minutes ago | parent | next [-] | |
Once dns-persist-01 becomes available/usable[1], it should make dns validation even easier. | ||
| ▲ | bombcar 31 minutes ago | parent | prev | next [-] | |
Just LE a wild card cert and slap it everywhere. | ||
| ▲ | bruce511 25 minutes ago | parent | prev [-] | |
Came here to say the same. I use DNS-Challenge rather than HTTP-challenge, and that makes internal servers trivial. You need a DNS provider which supports API calls (I use DNSimple) but the core is all very straightforward. To prevent having to include DNSimple authentication on the client's internal server I have a small API server on the web which does the Acme work. | ||