Hello,
Until now i use a certificate for each service which has a cname record.
I registered mydomain.tld and myservices have a cname record: service1.mydomain.tld CNAME mydomain.tld.
So i have as many certificates as i have services. Some are publicly accessibles some are not. I use caddy and private services are restricted in caddy to lan ips.
I want to simplify that with a wildcard certificate.
But i certainly need to modify parts of my setup as :
- i use mydomain.tld as my domain in opnsense (dns and dhcp are configured as per the recommandations : unbound on port 53 and dnsmasq on 53053). I have query forwarding for mydomain.tld to dnsmasq
- i have to other services which i setup recently which are hosted elsewhere: external_service1 A another_public_ip1
For those 2 services i have a query forwarding from unbound to 1.1.1.1
- i have host override for externally accessible services: caddy.mydomain.tld -> lan_ip_of_opnsense and an alias for each service
So i need advice on:
- what domain should i use on opnsense ? lan.mydomain.tld or keep mydomain.tld
- should i use one domain per vlan ? lan.mydomain.tld, iot.mydomain.tld, ...
- should i change domain of external services (also used as endpoints for wireguard or openvpn tunnels) ?
- what domain should i use for publicly facing services ?
Until now i use a certificate for each service which has a cname record.
I registered mydomain.tld and myservices have a cname record: service1.mydomain.tld CNAME mydomain.tld.
So i have as many certificates as i have services. Some are publicly accessibles some are not. I use caddy and private services are restricted in caddy to lan ips.
I want to simplify that with a wildcard certificate.
But i certainly need to modify parts of my setup as :
- i use mydomain.tld as my domain in opnsense (dns and dhcp are configured as per the recommandations : unbound on port 53 and dnsmasq on 53053). I have query forwarding for mydomain.tld to dnsmasq
- i have to other services which i setup recently which are hosted elsewhere: external_service1 A another_public_ip1
For those 2 services i have a query forwarding from unbound to 1.1.1.1
- i have host override for externally accessible services: caddy.mydomain.tld -> lan_ip_of_opnsense and an alias for each service
So i need advice on:
- what domain should i use on opnsense ? lan.mydomain.tld or keep mydomain.tld
- should i use one domain per vlan ? lan.mydomain.tld, iot.mydomain.tld, ...
- should i change domain of external services (also used as endpoints for wireguard or openvpn tunnels) ?
- what domain should i use for publicly facing services ?