DNS & SSL Certificates + subnets
-
Hi there,
I have a question that I think is mainly about DNS.
[I'll say up front, I'm never sure what information is most useful to start, but I'll do my best.]I want to be able to address/navigate subnets using SSL with valid cert e.g. LAN1.mydomain.tld LAN2.mydomain.tld
(I'd prefer to avoid debating whether I really need subnets or better off with VLANS. )
I think I need to define subdomains in the cert SAN entries, but I suspect there is a better way to handle it - maybe by getting "internal" DNS to work.I have used an externally hosted domain and Lets Encrypt (LE) to create a signed cert .
The external domain has no ip address in the public records, but has multiple CNAME records (with GoDaddy)I have followed many tutorials to setup the SSL cert and domain and everything seems to work except the entire point of the exercise -> LAN access using URL/SSL. Aaagh
i.e. The ACME/LE process says success, and I have set the certificate in System | Advanced with WebGUI redirect off and can connect with IP+non standard port+insecure warning, but cant access with mydomain.tldSystem logs show the domain being blocked out to godaddy but I don't know where it is getting that external pointer from. Apart from the obvious - it is a FQDN and there is no internal DNS to catch it first.
Tried using DNS resolver to not look externally but couldn't get success. (Bumbling around late at night by that stage)Assumptions:
a) Self signing doesn't get rid of Browser warnings as it isn't a recognised CA
b) Therefore need to use a FQDN that can have trusted ownership validated by LE
c) If I want each subnet to be able to securely access I need sub.mydomain.tldIn System | General I changed hostname and domain to "pfsense" and "mydomain.tld" but to no avail (pfsense is also one of tha CNAME records)
I cant get LE to validate and sign when I specify multiple SAN despite there being a CNAME record for each sub (The Godaddy API doesn't seem to reply with subdomains.)
My questions are:
-
Do I need to create separate certificates for each subnet e.g. LAN1.mydomain.tld LAN2.mydomain.tld ?
OR -
Can I get a single cert with multiple SAN entries?
-
If so, how do I get LE to recognise the subs? Would that be a TXT record, as it doesn't seem to like multiple CNAMES
OR -
Can I get a single cert mydomain.tld and then adjunct subdomain through internal services and assign each subnet a differen subnet - yet still have secure SSL
Do I even need to use a FQDN to remove all SSL browser warnings?
I am sure this vague and high level question needs more info, but as stated up front, trying to provide a starting point.
Thanks in advance -