I wonder if it is (already) possible to get a TLS cert from letsencrypt for a private network not accessable for the public by having a caddy in a DMZ to act as a “acme forward proxy” (using GitHub - caddyserver/forwardproxy: Forward proxy plugin for the Caddy web server ?) for the caddies in the LAN.
The public DNS would resolve to the DMZ caddy by a wildcard record.The LAN network would use split DNS and resolve the LAN caddies as local network IP (RFC 1918).
Of course it would be necessary to restrict the proxy for the network/caddies.
I will try to create such a setup but I would be interested if you see already any issues, which would not allow me to get it working with the current state of caddy and forward proxy.
I would use the DNS challenge so that you do not need to worry about an ACME server trying to reach your server:
Another option is to share storage (e.g. via NFS) between the three and then the public facing one can solve challenges initiated by the other two automatically.
This topic was automatically closed after 29 days. New replies are no longer allowed.