DNS domains for internal only with public ACME

1. The problem I’m having:

Dear all,

I would like to move some of my domains to be only accessible through our corporate VPN network.

Though, I still want to receive public certificates for these domains. So for example “private.company.com” should be only accessible when connected to VPN, but it should have a public certificate and no need to install any CA.

Is this somehow easily accessible with Caddy? Can someone point me, how I can do this in the most efficient way?

Thank you!

3. Caddy version:


4. How I installed and ran Caddy:

Installed via Docker

a. System environment:


You can use the DNS challenge. It simply sets a DNS record then deletes it, no need to reach your server from the outside.

(Note that you’ll still need to make sure you configure your network / firewall to properly restrict access in the way you’re describing.)

1 Like

Thank you for your fast answer. acme_dns is already configured.

I know this is somewhat out of the scope of Caddy, but how it is usually restricted from outside? Firewall or by any other means of blocking?

Or is it allowed usually (by Cloudflare in my case) to set A record to a private IP address?

Yes, I somehow forgot this, but with DNS challenge, there is no need for the domain to point at the actual (external) IP. Thank you for your help!


Yeah. Any way of disrupting the route. So like in a home network, if you plug your computer directly into your WAN, your computer will be directly exposed to the Internet. But if you put a router in front, it also acts as a firewall, because it does NAT: your router creates a new internal network that all your devices become part of, instead of part of the Internet. So your computer gets an internal-only IP. Typically you have to enable the port forwarding or some sort of routing from the outside then.

Similar concepts in production infrastructure.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.