More Information On The dns_challenge_override_domain option

1. The problem I’m having:

I would like to set up a reverse proxy that handles tls for a number of services running in containers. Both the proxy and the services are internal to our network, not on the public internet.

I have ‘split DNS’ - the Windows domain handles DNS requests internally.

I’d like the certs to be valid to non-domain joined devices, i.e. a phone that happens to be on the LAN.

My external DNS provider only does changes by manual request - there’s no automated system.

The number of certs required is less than 20, and wouldn’t change often.

As far as I can tell, I have two choices with those limiting conditions:

A - set up a caddy server that is on a public ip, have it get certs, then set up some sort of syncronization of the cert folder between that external server and an internal one

B - set up CNAMES for the internal services, on the external DNS, pointing to say a duckdns entry and then use this dns_challenge_override_domain option

Option B seems like a more accepted solution, but I can’t piece all the details together.

2. My actual questions

Can someone provide me with some documentation or a tutorial or something that spells out the override procedure in detail? I’ve seen a few bits and pieces, but haven’t been able to put together enough of the puzzle to get to the actual testing stage.

Maybe this is actually a let’s encrypt or ACME question? If so, where should I go? (leaving myself wide open here :slight_smile: )

Caddy can handle any TLS configuration you’d need. I believe you’d be using thedns_challenge_override_domain subdirective of the tls directive.

If you can use the template and list your current or speculated Caddyfile and method of installation, we can help more.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.