Help appreciated -- Totally stuck with LetsEncrypt and HA Proxy

Started by mzurhorst, August 29, 2022, 05:54:29 PM

Previous topic - Next topic
Hi all,

I am trying since weeks to get my LetsEncrypt working for my home network and a machine accessible behind my firewall.  I am totally lost now getting frustrated after following dozens of tutorials.

I would really appreciate when somebody could give me a hint and toss me into the right direction.

What I have:
1) OPNsense connect to my carrier with a dynamic IPv4
2) set up DuckDNS account; this gets updated every night
3) I have a domain and created a subdomain (baerl.die-zurhorsts.de) with a CNAME record pointing to DuckDNS.  this works as well

Now to the mess internally:
1)  I am unsure about the correct naming of my (virtual) machines in my home network.
     I tried it with fake domains as well as correct FQDNs:
     
2)  I started with the fake domain (zurhorst.baerl), transitioned to the subdomain (baerl.die-zurhorsts.de) and changed back to the zurhorst.baerl thing. 

3)  At least HA Proxy is working on Port 80. And there is also a certificate created, but this is not used.  (https://testweb.baerl.die-zurhorsts.de/ is pointing to the same web server. How the hell does the LE certificate get onto the webserver??? -- Is this a manual step, or is this automated behind the scenes?


What is my goal:

  • Simply spoken, I would like to have all communication between my servers secured with LE certificates.
    But it starts with the appropriate naming "strategy", which then impacts the LE challenge types, etc.
  • And if possible, I would actually prefer my "fake domain" naming for the local domain (zurhorst.baerl), since this is shorter.  All external stuff shall be routed through HA Proxy.
  • finally, it would be great when my OPNsense could stay on its default port internally (https://opnsense.zurhorst.baerl(:443), without being accessible from the Internet



I have the feeling that every single tutorial is lacking a tiny piece of information.    ::)
Hints are really welcome!

Thank you in advance,
  Marcus