I've been using lets encrypt since it's beginning (which isn't say too much, it's still very young). I have also been creating and installing the certs on my Proxmox system manually so when they include the options to automate this I'm very excited. However... There is no way on earth I'm exposing my Proxmox nodes to the internet, they are running internal services. This presents a problem. I want the automation but I'm concerned about the security.
I have a subdomain of my public DNS for my internal systems (.int...). So my solution is this..
Create entries in my public DNS for all my proxmox nodes, but pointing to a single internet routable IP address. This IP terminates on my firewall, and NATs to a small VM (in fact it's a docker image), running nginx.
In side this nginx I have configured it to simply take a specific set of server names (the proxmox names), and proxy port 80 traffic for /.well-known/ onto the correct proxmox node.
Thus I can use the automation inside proxmox to generate my certs, and I'm still protecting my proxmox systems by only exposing the /.well-known/ path on port 80 to the internet via my nginx proxy.
Maybe I'm a little too paranoid, but just because I'm paranoid doesn't mean people aren't out to get my systems
In case you're interested here's a snippet from the nginx config which handles the proxying..
I have a subdomain of my public DNS for my internal systems (.int...). So my solution is this..
Create entries in my public DNS for all my proxmox nodes, but pointing to a single internet routable IP address. This IP terminates on my firewall, and NATs to a small VM (in fact it's a docker image), running nginx.
In side this nginx I have configured it to simply take a specific set of server names (the proxmox names), and proxy port 80 traffic for /.well-known/ onto the correct proxmox node.
Thus I can use the automation inside proxmox to generate my certs, and I'm still protecting my proxmox systems by only exposing the /.well-known/ path on port 80 to the internet via my nginx proxy.
Maybe I'm a little too paranoid, but just because I'm paranoid doesn't mean people aren't out to get my systems
In case you're interested here's a snippet from the nginx config which handles the proxying..
Code:
server {
server_name ~^$THIS_HOST.${TLD}$;
location /.well-known/ {
proxy_pass "http://$THIS_HOST.${TLD}/.well-known/";
}
}