• BrianTheeBiscuiteer@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    9 months ago

    Is this only for public facing services then? I have little desire to expose my services except through tailscale or something like that.

    • double_oh_walter@feddit.nu
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      9 months ago

      No! If you have a domain and can do DNS* verification you can get fully functional certificates to use on your internal network.

      *Doesn’t have to be DNS, but then you’d need to expose http to the internet for verification.

    • lemmyvore@feddit.nl
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 months ago

      The alternative is to offer the Let’s Encrypt bot access to your DNS service, typically in the form of an API token which you revoke after the bot verifies the domain. Access to the API is not needed for subsequent cert refreshes, only the first time.

      The bot (or the proxy you use) needs to support the API of the DNS you use, naturally, but they support a wide variety of the most well-known ones.

    • vividspecter@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      9 months ago

      Just to add to the other comments, you probably want to use a wildcard cert so you don’t need to individually certify each subdomain (or expose them at all).