Using MiaB to validate a Let's Encrypt certificate for home-server

Hi there!

I have some devices at home (NAS, web server with 2 subdomains, …), where I need a SSL certificate for the same domain as I’m using at MiaB. Until now I updated my wildcard certificate using the DNS-manual method and my MiaB DNS server managed the A and TXT records.

Now I’m asking myself if it’s maybe possible to use the MiaB’s own validation service for the SSL certificate I’d like to create for my home server, is it possible? What method is used by MiaB? HTTP server?

Maybe it’s even somehow possible to use DNS-NSupdate / RFC2136?

1 Like

Nobody, who could help me?

Is there a reason you wouldn’t just run Let’s Encrypt on those servers to create the certificates needed? It seems bringing the MIAB box into the equation unnecessarily complicates things.

I am not understanding clearly from your initial post … are you stating that you have had a wildcard cert issued to your MiaB box?

Or are you wanting the DNS cert for your home devices to be the same subdomain as your box …

Please rephrase so it is understood EXACTLY what you want to achieve.

Local, not internet accessible, perhaps? I have no clue which is why I asked the OP for clarification.

I was looking a while ago into letsencrypt DNS challenges, I haven’t had time to test this out but I came across this:

https://github.com/EnigmaBridge/certbot-external-auth

You will have to write a script to take certbots challenge and push it to mailinabox through the dns api as it appears no one has written a Mailinabox hook yet.

@blinkingline & @alento
It‘s the easiest way for me doing it that way, because I’m not really an expert.

One of the devices which needs a certificate is my pfSense firewall. I think the only way of importing a certificate (besides the manual import via web UI) into the pfSense is to create one via the LE package. Because I’m able to export that certificate to my Ubuntu server (using it for certain purposes) my pfSense is the only instance that creates a wildcard certificate, automatically exports it to my Ubuntu server and restarts all the processes to renew their certificates.
So by now I’m going to renew my certificates for any service I run at home via one click at the pfSense LE package. It’s not that hard, but I was looking for an automated alternative.

I think, the only automatically method to renew my certificates on my pfSense is a web server on the pfSense itself. But I’m afraid of running this method on my firewall. Then I’d better use the dns manual update further.

Finally, I thought that if MiaB is already running a LE validation service I could maybe use it for my home solution as well to validate the same domain. But the deeper I try to inquire into LE’s processes of renewing and validating, the more I think that it would be impossible with the existent solutions, am I right?

@operations
Yes, that would be some kind of what I’m looking for. The pfSense’s LE’s package is offering external authentication services as well, but I don’t know if it’s possible to add custom entries. Anyway I wouldn’t be able to do this…

Finally I found ACME-DNS (https://github.com/joohoi/acme-dns).
That is a really simple solution and seems for me as one of the most secure options for automatic domain validation.

Before I started this topic, I didn’t know much how LE works in general. Now I understand it a little bit better and it’s clear for me that the way I wanted to solve my “problem” it would not work. But this was a good start to learn something new :slight_smile:

I usually set up the certificate for the domain on the MIAB server, then configure custom DNS to point the domain and the www. to an external server. Then, use LetsEncrypt on the external server to set up the certificate for the web server there.
Subsequently, both instances appear to renew just fine, when the time comes.

Hi @limitless ,

I’m struggling with this exact thing. I have MiaB on a VPS and a lot of services on my home server, which until I installed MiaB, I was using OVH Provider for Let’s Encrypt. Now my wildcard certificate has expired and I need to renew it. But I’m unable to do it on MiaB, so I I’m using Nginx Proxuy Manager, as it has ACME-DNS plugin, but it asks for something I don’t know how to get
image

It seems I need the API URL and some credentials in a json format.

Could you please put here an example of your settings, to see if I can adapt it to nginx proxy manager?

Thank you to anyone who can help me

Sorry for the late reply, but I don’t think I could help you out either. I’m using the ACME plugin on my pfSense firewall and there you don’t need something like you were asked for. I just put in my credentials (like username + password) and then it works.