Homelab

371 readers

9 users here now

Rules

Be Civil.
Post about your homelab, discussion of your homelab, questions you may have, or general discussion about transition your skill from the homelab to the workplace.
No memes or potato images.
We love detailed homelab builds, especially network diagrams!
Report any posts that you feel should be brought to our attention.
Please no shitposting or blogspam.
No Referral Linking.
Keep piracy discussion off of this community

founded 11 months ago

MODERATORS

[email protected]

Let's Encrypt: public domain [-> CF proxy] -> pfSense -> HAProxy -> local domain (alien.top)

submitted 10 months ago by [email protected] to c/[email protected]

4 comments fedilink hide all child comments

Hi all, I'm currently running the following setup:

registered domain .com
Cloudflare
- A record for dynamic homelab IP (updated via pfSense)
- CNAME Alias entries for each service: ..com
pfSense
- domain: .com
- Let's Encrypt wildcard certificate for *..com via ACME plugin
- HAProxy for mapping host names to services in my network and serving the LE certificate
- DNS Resolver host overrides for each ..com entry for split DNS -> resolved to HAProxy

This has worked quite well for a couple of years now.
Clients (mostly me) see a Cloudflare certificate from outside the network (if CF proxy is active) or my own wildcard certificate from inside the network (or if CF proxy is disabled).

I'm currently preparing 3 new (virtualized) router/firewall installations in parallel: pfSense, OPNsense and Sophos.
Before I try to configure the new installations equally, I'd like to simplify my current setup. One small inconvenience is the number of places I have to add a new service to:

Cloudflare CNAME Alias (optional, only for public availability)
HAProxy backend (unavoidable)
HAProxy frontend ACLs
HAProxy frontend actions
DNS Resolver host override

I've thought about using a wildcard override in the local DNS resolver in order to route all my service hostnames to HAProxy instead of listing each entry separately.
However, if I did this, all local host names would also be resolved to the same IP address, which is obviously not what I want.

Therefore I thought about changing my local domain to either .home.arpa or .lan.
Then I could resolve all *..com requests to HAProxy without influencing the host name resolution for my local machines.

Now I've tried to read up on *.home.arpa and similar local domain names and came across many people saying that it's not possible to get a Let's Encrypt certificate if you're not using a 'real' domain. Now I'm unsure and I don't feel like I really know what I'm doing anymore.
Is my situation different or does this limitation really apply in my case?
Do you have any comments? Would my setup still work if I changed the local domain to .home.arpa? Is there an alternative way to simplify my setup that you can think of?

Thanks in advance!

TL/DR: can I use ACME to get a wildcard certificate for *..com which will be served by HAProxy, even if my local domain is not .com?

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 1 points 10 months ago (3 children)

You need to provide proof of ownership of a domain in order for letsencrypt to issue the cert which is done via either an HTTP challenge where the domain in question resolves to a real HTTP server that has the challenge data available on it, or a DNS challenge where letsencrypt can see a TXT challenge record put there for the job.

[–] [email protected] 1 points 10 months ago (2 children)

I assume that I'm currently using the DNS challenge approach. The ACME plugin takes care of this by using my account information and API keys.

[–] [email protected] 1 points 10 months ago

[ Removed by Reddit ]

[–] [email protected] 1 points 10 months ago

The challenges are part of the ACME protocol for issuing DV certificates. DV certs are for validating control of a given domain. If you successfully get a .arpa cert that's trusted by everyone, particularly a wildcard cert, you could perform MITM attacks on untold numbers of networks. It's not likely to happen.

You'll probably.need to make your own CA cert, trust it on devices, and issue certificates from it (or a sub CA cert, which you'd then have to bundle with others). If you only do this with a handful of haproxy nodes, the server cert config shouldn't be too hard, but the trust store gets stupid to manage quickly. A lot of software requires its own config for this to work.

The way I handled this issue myself is to make an "internal" subdomain, e.g. "internal.domain.tld", you can then split names between your root zone and a sub zone; this allows issuance of letsencrypt or other dns01 acme issuers to work via DNS challenges. Also useful if you don't want to or cannot do split horizon DNS resolution - you can still make public facing DNS records with private IPs. The biggest risk here is that internal-only services' names can be exposed via certificate transparency logs (CT logs). If you use LE for both internal and external names, you also increase names per domain usage which could have an impact on quotas/API limits.

Good luck with whatever you choose