How do you manage the distribution of internal TLS network certificates? I’m using cert-manager to generate them, but the root self-signed certificate expires monthly which makes distribution to devices outside of K8s a challenge. It’s a PITA to keep doing this for the tablet, laptop and phones. I can bump the root cert to a year, but I’m concerned that the date will sneak up on me. Are there any automated solutions?
DNS challenge with a reverse proxy is that answer. I’ve been doing this for a while now and it works great. Most other answers here are work arounds or not very robust.
This is the way: https://youtu.be/liV3c9m_OX8
I do this with authentik for sso
I have local only things like vaultwarden and external things like seafile.
I started watching the video. I was not aware that LetsEncrypt supported wildcard certificates. Does this mean that your internal network uses the same domain name as your externally-hosted services?
Yes.
Vaultwarden.local.example.com
And
Jellyfin.example.com
This is the best and most robust way to do this