Hello.
First Post so wanted to first shout out to Tom and all the fine staff, Patreon folks, customers, etc that make all this possible. What a great, practical, resource you have created here. You are all to be commended.
And on to the actual post…
I have seen the videos that use pfsense, ACME, and haproxy with wildcard certificates for accessing local resources seamlessly. This is a neat solution however I would prefer to have SSL termination done from end-to-end.
I am trying to decide from a security perspective which is the better route:
-
generate all the certs in one place (possibly pfsense but maybe a separate instance or container just for this) and distribute the certificates to all the hosts they need to go via ansible.
-
generate the certs on the devices directly with certbot or however I can interact with ACME API and risk having keys that can modify your entire zone in multlple places on your network.
I don’t mind doing the certificate distribution manually but I also don’t think I can find a better solution than just generating a cert for each host specifically and take the API key risk. I guess you could have different API keys for the DNS provider for each host so that you could invalidate one quickly and not affect everything.
I don’t have any external services to contend with in the case of my homelab but I do want to have a separate DNS zone, even if just in name with local-only DNS resolution.
Does anyone have any better ideas or is there something obvious I am not considering?
Thanks!
Happy to be here 
Eddie