HTTPS for non-public hosts via DNS challenge on local nameserver - complete HTTPs and DNS experience

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

shalak

New Member
Feb 7, 2021
2
0
1
I'm looking for a solution for complete HTTPS and DNS experience in my home network. AFAIK all tools are there, but I'm looking for the most user-friendly and maintenance-free solution. I have most of the pieces of this puzzle, but I'm missing some.
First, let me lay some assumptions, so it's easier to comprehend what I mean:
  • home network has mikrotik router on 10.0.0.1 and has an external, public, static IP address of A.B.C.D
  • there is an OpenMediaVault (OMV) server running portainer with nginx reverse-proxy (Nginx Proxy Manager) - it's on 10.0.0.2
  • there are several other hosts in the network - NAS, printer, nanny-cam, etc - all exposing web UI via HTTPS, e.g. printer on 10.0.0.3
  • I own mydomain.com administered by my hosting provider (www, email, etc)
  • OMV runs DNS server that is capable of fulfilling the Let's Encrypt DNS challenge, let's call it MYDNS. Extra points if it has DoH (DNS-over-HTTPS)
  • router forwards ports 80, 53 and 443 ports to OMV host
  • nameserver of mydomain does not have certbot-compatible capabilities to fulfill the DNS challenge
What I want to achieve is:
  • possibility to connect via HTTPS to selected hosts via FQDM from LAN and internet: hosts can be both on OMV or just regular machines (e.g. nginx.home.mydomain.com on OMV and printer.home.mydomain.com connected to my network)
  • in both cases I have valid HTTPS certificate
  • from LAN I want to not have my traffic proxied via nginx (except for services that are on OMV host)
  • from LAN I want to be able to ping hosts using their FQDM as well (i.e. MYDNS is a default DNS for my LAN devices)
So, basically:
  • when I enter printer.home.mydomain.com from the internet, the connection will be made to my public IP, router will forward the connection to nginx reverse-proxy, which will proxy the traffic to the printer - over here I see valid certificate that's installed on nginx
  • when I enter printer.home.mydomain.com from LAN, the connection is made directly to it - over here I see valid certificate that's installed on the printer
Best to my knowledge - the above is possible to achieve, however if I'm missing something, please tell me.
Now the missing parts:
  1. My hosting provider does not expose certbot-compatible DNS API, but I can set a CNAME delegation for the _acme-challenge record to A.B.C.D, that way let's enrcypt will talk to MYDNS (via port 53 forwarded from A.B.C.D), which will fulfill the DNS challenge and set proper TXT entries. So I'm looking for a dockerized nameserver for this MYDNS - something that is certbot-compatible, so nginx proxy manager can handle all the magic by itself. That covers all services that are running on OMV. But also - this nameserver will be broadcasted via DHCP from router to all LAN devices, and on it I would like to set that printer.home.mydomain.com is 10.0.0.3, and *.home.mydomain.com is 10.0.0.2
  2. Some dockerized service that will check if nginx pulled fresh certificate for non-OMV hosts and upload certificates to them. It will use several ways to achieve that - for printer it would be a curl call, as described here
I'm looking for the friendliest solution possible - best would be for MYDNS to get configuration by parsing nginx configuration, so when I add proxy host, it will also add a DNS entry on MYDNS.
Best would be for both of two services to come from public docker image that's maintained by the community. Did anyone here faced the same issue and has some tips on what nameserver should I use? And is there a service that watches file for changes and executes highly-scriptable actions?
 
Last edited:

dandanio

Active Member
Oct 10, 2017
182
70
28
I am sorry but I do not know of any. I gave you the technology to use, but I do not know of any solutions that would utilize this.
 

mwarps

New Member
Oct 29, 2019
14
6
3
This is split horizon DNS. You'll want to google how this works and how to implement it. Assuming your SSL is all configured properly already, the last thing is the split horizon, which is always the case.