Upgrading my home infrastructure to learn as well as be more secure, I have not been able to find out how best to get certificate(s) issues and installed across my servers, which comprise:
- Firewall (pfSense - FreeBSD):
fw.example.com
- NAS (Openmediavault - Debian Buster):
nas.example.com:80
▷nas.example.com:443
- Network controller (Unifi on same Debian Buster as the NAS)
nas.example.com:8443
- Video Controller (Unifi ditto)
nas.example.com:7443
- Home Automation (Home Assistant on hass.io)
home.example.com:8123
With that background:
Should I run ACME protocol software (Certbot, acme.sh or equivalent) on each server through Cron to have Let's Encrypt issue and renew the certificate(s)? Or should I do it on one server and set up to copy the resulting public and private keys to the others?
Is one certificate with Subject Alternative Names (SANs) for the domain itself (example.com) AND one for each subdomain (fw.example.com, nas.example.com & home.example.com) OR wildcard (*.example.com, which restricts authentication methd). Or should each server get its own certificate?
For now, in additional to the firewall, only Home Assistant will be external facing. Thus it is the obvious candidate for the issue/renew process (given that my registrar is Google Domains, who don't support DNS-O1, so I need an HTTP server for HTTP-01 if I am not be renewing manually every three months).
In future, I would like to implement OpenVPN on the firewall in order. My understanding is that the certificates for that are/should be generated privately.
Further research, suggests HA proxy for the internal only web sites. Makes sense as it reduces the place where a current certificate is required. But would software that requires https: (e.g. Unifi Controller) not complain, as it won't know that it is being accessed securely as this is handled by HA Proxy. Thoughts on this?