TLS certificates for internal services done right
Summary
This article outlines a practical method for provisioning TLS certificates for internal services using split-horizon DNS, a VPN DNS resolver (NetBird), an ACME client (acme.sh) with Let’s Encrypt, and an nginx-based reverse proxy with a WAF. It explains why private TLDs like .internal are problematic, and shows a concrete, code-based approach to issuing and renewing certificates and wiring DNS so internal services remain secure and accessible.