What's the optimal way to achieve HTTPS for internal services?

[halpdesk]

I have an Nginx reverse proxy configured to provide access to several services that I need outside my lan and use IP:port references for internal services (accessed through Wireguard if I'm away from my network).

Is there any easy way to assign domain names with valid HTTPS certs for the services that I'd like to remain internal only?

I'm new to OPNsense and Unbound, so I'm a little lost as to where to even start.

Most of my services are installed via Docker on two different servers, so it would be preferable to be able to point OPNsense/Unbound to an Nginx/Caddy reverse proxy installed on one of the two servers (depending on which subdomain is being requested) to prevent the need of having to expose ports on my network.

Open to any other thoughts, though!

[Greelan]

My approach: I have a domain mydomain.com. I use a subdomain local.mydomain.com for local use only. I use acme.sh in a LXD container (alongside nginx) on my server to generate Let's Encrypt wildcard certs for *.local.mydomain.com, using DNS challenge. Then my nginx conf has server blocks for each internal service - server1.local.mydomain.com, server2.local.mydomain.com. My local DNS server has local IPv4 and IPv6 records for each.

End result is valid https certs on all local subdomains without any need for ports to be opened externally.

[adn77]

If for some reason you can't use dns-01 with LetsEncrypt, you can still make Opnsense procure the certificates (ACME plugin). The certs can then be copied to your internal services using auto-deploment rules in the plugin.