I've been using a combination of Cloudflare and Nginx Proxy Manager to simplify various internal and external services over the past year. Adding SSL to externally exposed sites has been pretty straight forward, add a CNAME record in Cloudflare that points to my router, and my router uses Nginx for a reverse proxy. Simply enough, plus the traffic gets auto wrapped in Cloudflares certs.
The issue has been adding and maintaining SSL for internal only apps. I've been following the same workflow as external apps but turning on/off the cloudflare record. This also doesn't provide me real SSL from cloudflare anymore and I've had to generate it from letsencrypt while the external port was exposed. Not optimal, and renew breaks in this pattern.
Solution: Wildcard certs. This was less that straight forward as I tried to manually use certbot to create a wildcard cert which works, but I still have to manually renew, and the import process is even more long winded. So Nginx Proxy Manager has the ability to create a SSL certificate from the tab, and use LetsEncrypt.
Settings should be as follows:
- Domain name - *.[yourdomain].com
- Tick on Use a DNS Challenge
- I tested cloudflare as my DNS provider but there are a lot of others in the dropdown that work similarly I expect. Once you select this it will want a token. Grab that from Cloudflare -> My Profile -> Api Tokens and create a new custom token.
- Call it whatever you like, imortant part is the permissions. They should be set to [Zone] [Zone Settings][Edit],
- Include whichever zones you want, and continue to summary below.
- Agree to the terms.
You can now update/add endpoints and use this new cert. It hasn't been long enough to require renewal but it should follow the same renew pattern as the non-wildcard certs.
Top comments (0)