Because the majority of my traffic and services are internal with internal DNS? And I want valid HTTPS certs for them, without exposing my IP in the DNS for those A records.
If I don’t care about leaking my IP in my a records then this is pretty easy. However I don’t want to do this for various reasons. One of those being that I engage in security related activities and have no desire to put myself at risk by leaking.
Akinzekeel@lemmy.world 2 weeks ago
Can’t speak for OP but I was also attempting this and couldn’t get it working. My use case is that CF tunnels make multiple of my self hosted services available on the Internet via HTTPS and without directly exposing my home IP.
It does however mean that even when I use a service on my home network, everything is being proxied through CF which makes things much slower than they need to be 90% of the time. So my idea is to use caddy in parallel to CF and have a local DNS server point to my homelab, thereby circumventing the proxy whenever I’m on my home network.
But like I said I could not get this working just yet.
mik@sh.itjust.works 2 weeks ago
I run the setup you’re aiming for, and as the other guy said, DNS challenge is the way to go. That’s what I do, and it works beautifully. It even works with Caddy auto-https, you just need to build Caddy with the cloudflare-dns plugin.
Cyberflunk@lemmy.world 2 weeks ago
You’ll need to disable proxy, run certbot, then re enable proxy.
LE won’t sign a site already cf encrypted, or behind cf (even with cf SSL disabled.)
You could try a DNS challenge or other method.
letsencrypt.org/docs/challenge-types/