Nginx Proxy Manager VS acme-dns

Yes, but if you can run docker. Use nginx proxy manager here

For easier setup I would highly recommend the usage of nginx-proxy-manager. Its docker-rized and the ui makes it really easy to configure. From this point on there are a few things we'll have to know about your situation: Do you plan on running these different web apps on different dubdomains (plex.amazingdomain.moe) or on different paths (amazingdomain.moe/plex). Since you already have a domain, different subdomains should be fairly easy to create. (Paths would be the better solution if you are using a ddns service with a very limited amount of 'domains')

I think you're getting the wrong nginx.... checkout this link https://nginxproxymanager.com/

NginxProxyManager might be of interest. I got tired of trying to get it to work predictably with more than one site in opnsense, and now just forward 80/443 to it to deal with the half-dozen internal sites I want access to, and secured with basic auth and SSLs that it takes care of.

If you're using Docker for your services, I can recommend Nginx Proxy Manager. It's a webUI for nginx, makes it easy to use nginx. I followed this guide to set my home server. The author uses Portainer to manage containers, but you can use docker-compose directly.

I just want to add that nginx proxy manager makes it exceptionally easy and doesn't require someone to directly configure nginx at all.

Pretty good explanation here ^ To follow on with the practical side of things you need something to redirect traffic that comes into your IP address on port 80 to the proper address/port. Some software that works very well with this is nginx proxy manager I use it and it works well. Basically all you do is put some rules in that redirect traffic based off domain names e.g. foundry. goes to ip addres on port . NPM listens to port 80 sees the incoming address and then translates that into an address on your network. Bam you just need to type a name in your url bar and foundry pops up :)

I also have domains on google domains and I use https://github.com/joohoi/acme-dns api to renew all the certificates using the api including wildcard certificates. Just register a new account at https://auth.acme-dns.io/register and start using DNS api. https://github.com/acme-dns/acme-dns-client

I use https://github.com/joohoi/acme-dns and my domain provider does not have an API either. use acme.sh script and use the acme-dns api to get the certificate. Once you get a certificate download the ~/.acme.sh/account.conf file and re-use it on all the new servers you create. All you have to do is point your _acme-challenge subdomain CNAME record to the one you get from the API.

Not necessarily; LE follows CNAMEs, so you can use it with a DNS server without scriptable record creation capability. Just add a CNAME that points to a service such as https://github.com/joohoi/acme-dns

I have done it with https://github.com/joohoi/acme-dns It's a DNS server you deploy just for the DNS challenge. The doc is good, does take some time getting your head around how it's work but once set it's easy.

If you use a ddns client to create a record for you and keep it updated you can use https://github.com/joohoi/acme-dns (hosted locally) for the txt records that let us encrypt needs. Only part that is a pain is each sub domain you do needs a manual cname record pointing to the acme-dns one.

Yes. You can have a CNAME _acme-challenge.example.com point to _acme-challenge.example.ORG or a sub-domain like _acme-challenge.DNSAUTH.example.com.

At work we use the sub-domain method and just have a small non-HA VM with some scripts that allow ACME clients to update particular TXT records. Each ACME client is given an individual key and allowed to only update a particular record.

Folks have specifically written DNS servers to do just this:

* https://github.com/joohoi/acme-dns

However we used BIND with some custom scripting.

You can use sub-domains as well: _acme-challenge.example.com -> _acme-challenge.DNSAUTH.example.com, _acme-challenge.foo.example.com -> _acme-challenge.foo.dnsauth.example.com.

You can then have a small VM handle answering DNS queries just for dnsauth.example.com. Folks have written servers to do just this:

* https://github.com/joohoi/acme-dns

> If you want to use the www auth you need to allow outbound connections to any IP

Only for the time period when you're requesting the cert though: it does not have to be open to the entire Internet 24/7. While this not satisfy your personal / particular level of security concern, it is something. Using the dehydrated client as an example, the web server could be started and stopped (or the host's firewall rules altered) in the startup_hook() / exit_hook() functions, or the deploy_challenge() / clean_challenge() functions:

* https://github.com/dehydrated-io/dehydrated/blob/master/docs...

> otherwise you have the DNS option which means giving the server access to modify the DNS records which is also unsafe should the box get compromised.

Are you aware of LE/ACME's "DNS alias" mode?

* https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mo...

* https://www.eff.org/deeplinks/2018/02/technical-deep-dive-se...

Let us say you with to get a cert for foo.example.com. Letting an ACME client change the value of that could be a risk as you state. So what you can do is create a CNAME _acme-challenge.foo.example.com, and point that elsewhere, like _acme-challenge.foo.dnsauth.example.com. You then allow the ACME client to alter (just) the TXT records of _acme-challenge.foo.dnsauth.

People have ever written simple DNS server that allow for updating of records via a RESTful API, so you can server just the (e.g.) dnsauth sub-domain from it:

* https://github.com/joohoi/acme-dns

There's also a CLI utility that can handle access the APIs of several dozen DNS companies so you don't have to roll your own:

* https://github.com/AnalogJ/lexicon

I'm doing the same for my personal/home lab stuff. I've been using https://github.com/joohoi/acme-dns for the dns server running on a small vps for all my internal certificates and I haven't had any issues with it.

Yeah, I'm planning to add support for DNS challenges. But rather than depending on the user using a supported DNS provider, instead I'm planning to bundle acme-dns. That should be a much simpler setup... the only downside is that it only works if nothing else is also using DNS challenges for that domain. But I think that's a safe bet for most deployments.