ACME Service: how do I solve this ACME Service/Split-DNS conundrum?

[gctwnl]

I've added an acme-dns service on my LAN to support Letsencrypt certification. The router needs to use this too to write the secret received from LE there via the API (runs on port 943 on an internal server)

When I try to connect to the API to deliver the secret (in the challenge type), OPNsense (the router) resolves the name with the external DNS, so gets the external IP. But from outside, this API port is blocked for security reasons.

If I give OPNsense the internal IP address in the challenge type it fails too, because the service has a certificate that covers the name, but not the— internal — IP address

How do I make either of the following true:

• Make ACME service use an internal DNS to resolve the server's name to get to the API
• Make ACME ignore the wrong certificate
• Open up the port on the outside Allow only the router to use it?

Thanks.

[Monviech (Cedrik)]

Which challenge type do you use?

[gctwnl]

My OPNsense router doesn't use the inside DNS so it isn't dependent on it. This means it always goes outside for resolving. What I did for now is add a private IP A entry in my public DNS. That way, I can explicitly tell the router to go to the inside machine for the /update API. This works.

I have another issue, I'll create a separate post for that.