[SOLVED] LE: multiple domains with different WAN IPs, individual certificates

[browne]

Hello,

I have set up my OPNsense as a reverse proxy using HAProxy and Let's Encrypt.

Right now I only have one certificate for my domain1.browne.com that has WAN1_IP.
However I need another certificate for my domain2.browne.com that has WAN2_IP.

My setup looks like this:
WAN1_IP (10.1.1.1) --> domain1.browne.com --> already uses a LE certificate (certificate1)
WAN2_IP (10.1.1.2) --> domain2.browne.com --> doesn't use LE certificate, but needs one (certificate2)

I know how to create the 2nd WAN interface and all that...
But how do I tell the ACME client to use WAN1 to generate certificate1 and use WAN2 for certificate2?

When I try to get certificate2 the ACME client on OPNsense always uses the default gateway, which is in my case WAN1 (10.1.1.1). The certificate generation then fails because certificate2 is resolving domain2 (10.1.1.2) during acme challenge. So the IP (WAN1) requesting the certificate (certificate2) is not matching to the IP of the domain (domain2) listed inside the certificate.

[Greelan]

Not really sure what you are asking. LE issues certificates for domains, not IPs. Presumably you can have certs issued for whatever domains you want nginx to listen on, and have DNS records for each domain that point to the WAN IP that you want to reach that domain on? Maybe I have just misunderstood what you are after.

[browne]

I know that LE issues certificates for domains not IPs.

I updated the first post.

[Greelan]

Ah, just saw your revisions. So have edited my post too!

Maybe switch to DNS challenge to get around this issue?

[smyers119]

Services --> Let's Encrypt --> Challenge Type

Make a new HTTP challenge using the 2nd WAN.

[browne]

Services --> Let's Encrypt --> Challenge Type

Make a new HTTP challenge using the 2nd WAN.

In the meantime someone in the german forum already told me to do so.
But thank you still!

This works perfectly fine.