Hi all, I'm currently running the following setup:
- registered domain .com
- Cloudflare
- A record for dynamic homelab IP (updated via pfSense)
- CNAME Alias entries for each service: ..com
- pfSense
- domain: .com
- Let's Encrypt wildcard certificate for *..com via ACME plugin
- HAProxy for mapping host names to services in my network and serving the LE certificate
- DNS Resolver host overrides for each ..com entry for split DNS -> resolved to HAProxy
This has worked quite well for a couple of years now.
Clients (mostly me) see a Cloudflare certificate from outside the network (if CF proxy is active) or my own wildcard certificate from inside the network (or if CF proxy is disabled).
I'm currently preparing 3 new (virtualized) router/firewall installations in parallel: pfSense, OPNsense and Sophos.
Before I try to configure the new installations equally, I'd like to simplify my current setup. One small inconvenience is the number of places I have to add a new service to:
- Cloudflare CNAME Alias (optional, only for public availability)
- HAProxy backend (unavoidable)
- HAProxy frontend ACLs
- HAProxy frontend actions
- DNS Resolver host override
I've thought about using a wildcard override in the local DNS resolver in order to route all my service hostnames to HAProxy instead of listing each entry separately.
However, if I did this, all local host names would also be resolved to the same IP address, which is obviously not what I want.
Therefore I thought about changing my local domain to either .home.arpa or .lan.
Then I could resolve all *..com requests to HAProxy without influencing the host name resolution for my local machines.
Now I've tried to read up on *.home.arpa and similar local domain names and came across many people saying that it's not possible to get a Let's Encrypt certificate if you're not using a 'real' domain. Now I'm unsure and I don't feel like I really know what I'm doing anymore.
Is my situation different or does this limitation really apply in my case?
Do you have any comments? Would my setup still work if I changed the local domain to .home.arpa? Is there an alternative way to simplify my setup that you can think of?
Thanks in advance!
TL/DR: can I use ACME to get a wildcard certificate for *..com which will be served by HAProxy, even if my local domain is not .com?