Internal CA with ACME support

I ran across this write up today and thought it was interesting. The short version is that this is an open source internal ca server that will work with ACME API requests.

I’ve been wanting an easyish way to get all my internal stuff like FreeNAS and Zabbix to have trusted certs. This looks like it might work and can be automated. What does everyone else think?

I just run acme.sh on anything I want certs for, then run a cron to renew and fix anything. Not complicated at all really.

I read most of the article, but it was too repetitive imo. I’m a fan of the kiss method, and if it ain’t broke don’t fix it.

The problem I have is that I use a .lan internally, which you can’t get a cert from LetsEncrypt for.

I just use a house. subdomain off one of my public domains. DNS for the subdomain is not visible publicly, but it works for certs.

How do you do the challenge for devices that you don’t want to expose to the web and have private DNS records?

I hate to say I’m still kinda working the details out on that.

That’s exactly why I’m thinking of trying this internal CA. Most web based things have the ability to be automated against an ACME CA these days. Now I wouldn’t need the devices to be web facing or public DNS.