{"id":1173,"date":"2026-06-07T09:00:00","date_gmt":"2026-06-06T20:00:00","guid":{"rendered":"https:\/\/blog.wiseowls.co.nz\/?p=1173"},"modified":"2026-03-08T02:38:21","modified_gmt":"2026-03-07T13:38:21","slug":"proper-ssl-certificates-on-your-local-network","status":"publish","type":"post","link":"https:\/\/blog.wiseowls.co.nz\/index.php\/2026\/06\/07\/proper-ssl-certificates-on-your-local-network\/","title":{"rendered":"Proper SSL certificates on your local network"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">There&#8217;s a quiet revolution happening in self-hosted software. Between <a href=\"https:\/\/immich.app\/\">Immich<\/a>, <a href=\"https:\/\/jellyfin.org\/\">Jellyfin<\/a>, <a href=\"https:\/\/www.home-assistant.io\/\">Home Assistant<\/a>, <a href=\"https:\/\/jitsi.org\/\">Jitsi<\/a> and a dozen others, you can build yourself quite a capable home or office setup without sending a single byte to the cloud. We&#8217;ve been running a stack of self-hosted services on our internal network for a while now \u2014 all neatly managed through Docker and <a href=\"https:\/\/traefik.io\/traefik\/\">Traefik<\/a> as our reverse weapon of choice.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Everything was humming along nicely until one day we tried to set up Jitsi Meet for internal video calls. The web UI loaded fine, but the moment we tried to join a call \u2014 nothing. No camera, no microphone. Just a cryptic error about <code>getUserMedia<\/code> being undefined.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Browsers and their trust issues<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Turns out, modern browsers flat out refuse to give web apps access to certain APIs unless the page is served over HTTPS. This isn&#8217;t some obscure edge case either \u2014 it&#8217;s a long list:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Camera &amp; Microphone<\/strong> (<code>getUserMedia<\/code>) \u2014 the one that bit us<\/li>\n\n\n\n<li><strong>Service Workers<\/strong> \u2014 so no PWA features or push notifications<\/li>\n\n\n\n<li><strong>Geolocation API<\/strong><\/li>\n\n\n\n<li><strong>Clipboard API<\/strong><\/li>\n\n\n\n<li><strong>Web Bluetooth \/ USB \/ NFC<\/strong><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">They call these &#8220;<a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Security\/Secure_Contexts\">secure context<\/a>&#8221; requirements, and there&#8217;s no way around them. Chrome, Firefox, Safari \u2014 they all enforce it. Localhost gets a pass, but anything on LAN at <code>http:\/\/192.168.x.x<\/code> or a local hostname does not.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The old way: certbot and HTTP-01<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Normally you&#8217;d chuck <a href=\"https:\/\/certbot.eff.org\/\">certbot<\/a> into the mix and call it a day. We&#8217;ve done that before for public-facing services. But HTTP-01 validation needs the ACME server to reach your host over port 80 from the internet. For internal services that&#8217;s a non-starter \u2014 we&#8217;d have to punch a hole in the firewall and expose an endpoint just to prove we own a domain. Always undesirable, always scary.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">DNS-01 changes everything<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">There&#8217;s a DNS-01 validation method that we&#8217;d known about for years but always written off as &#8220;that complicated thing that needs programmable DNS.&#8221; You had to be on Azure DNS, Route53, or Cloudflare \u2014 not your average registrar nameservers.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But then one day our annual domain renewal bill came in at a price that warranted churning providers. Since we were moving anyway, it made sense to park the zones in <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/dns\/dns-overview\">Azure DNS<\/a>. And suddenly DNS-01 was on the table.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The interesting thing about DNS-01 is that it requires zero external exposure. The <a href=\"https:\/\/letsencrypt.org\/docs\/challenge-types\/#dns-01-challenge\">ACME server validates ownership by checking a TXT record<\/a> \u2014 no inbound connections needed. And since Traefik supports it natively, we can get wildcard certs for <code>*.yourdomain.co.nz<\/code> that cover every internal service automagically.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Traefik stack<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Here&#8217;s our Traefik setup with DNS-01 via Azure DNS:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"yaml\" class=\"language-yaml\">version: \"3.3\"\n\nservices:\n  traefik:\n    image: traefik:mimolette\n    container_name: traefik\n    restart: unless-stopped\n    command:\n      - \"--entrypoints.web.address=:80\"\n      - \"--entrypoints.websecure.address=:443\"\n      - \"--entrypoints.websecure.http.tls.certResolver=le\"\n      - \"--entrypoints.websecure.http.tls.domains[0].main=yourdomain.co.nz\"\n      - \"--entrypoints.websecure.http.tls.domains[0].sans=*.yourdomain.co.nz\"\n      - \"--providers.docker=true\"\n      - \"--providers.docker.exposedbydefault=true\"\n      - \"--certificatesresolvers.le.acme.dnschallenge=true\"\n      - \"--certificatesresolvers.le.acme.dnschallenge.provider=azuredns\"\n      - \"--certificatesresolvers.le.acme.email=admin@yourdomain.co.nz\"\n      - \"--certificatesresolvers.le.acme.storage=\/letsencrypt\/acme.json\"\n    ports:\n      - \"80:80\"\n      - \"443:443\"\n    environment:\n      - \"AZURE_SUBSCRIPTION_ID=your-subscription-id\"\n      - \"AZURE_RESOURCE_GROUP=dns-rg\"\n      - \"AZURE_CLIENT_ID=your-client-id\"\n      - \"AZURE_TENANT_ID=your-tenant-id\"\n      - \"AZURE_CLIENT_SECRET=your-client-secret\"\n      - \"AZURE_DNS_ZONE=yourdomain.co.nz\"\n    volumes:\n      - \".\/traefik_data:\/letsencrypt\"\n      - \"\/var\/run\/docker.sock:\/var\/run\/docker.sock:ro\"\n    networks:\n      - default\n      - jitsi_default\n\nnetworks:\n  default:\n  jitsi_default:\n    external: true<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The magic is in the entrypoints config \u2014 by setting <code>certResolver=le<\/code> and specifying the domain with a wildcard SAN at the entrypoint level, every service that Traefik picks up automatically gets a valid cert. No per-service certificate config needed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There&#8217;s a nice security bonus here too. Since our DNS zone is public, you might worry about advertising all your internal service hostnames as individual A or CNAME records for the world to see. But with a wildcard cert we only need a single <code>*.yourdomain.co.nz<\/code> DNS record pointing at Traefik&#8217;s local IP \u2014 yes, a public DNS record pointing at <code>192.168.1.x<\/code>. It&#8217;s perfectly valid, and it means nobody on the outside can enumerate your internal services from DNS. Traefik handles the routing based on the <code>Host<\/code> header, so the individual service names never appear in your zone file.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Adding Jitsi to the mix<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">With Traefik handling TLS, the Jitsi stack just needs to serve plain HTTP and let Traefik do the rest:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"yaml\" class=\"language-yaml\">version: \"3.3\"\n\nservices:\n  web:\n    image: jitsi\/web:stable\n    restart: unless-stopped\n    environment:\n      - PUBLIC_URL=https:\/\/meet.yourdomain.co.nz\n      - DISABLE_HTTPS=1\n      - ENABLE_LOBBY=1\n    labels:\n      - \"traefik.http.routers.jitsi.rule=Host(`meet.yourdomain.co.nz`)\"\n      - \"traefik.http.services.jitsi.loadbalancer.server.port=80\"\n    networks:\n      - default\n\n# ... more stuff here ...<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The key bits: <code>DISABLE_HTTPS=1<\/code> tells Jitsi&#8217;s web container to not bother with its own certs, and the Traefik labels on the <code>web<\/code> service are all it takes to wire it up. The JVB (video bridge) still needs its UDP port exposed directly since WebRTC media doesn&#8217;t go through the reverse proxy.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Fire up both stacks, point <code>meet.yourdomain.co.nz<\/code> at your Docker host in local DNS, and you&#8217;ve got Jitsi with a proper green padlock. Camera and microphone work without a hitch.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Setting up the Azure service principal<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The one remaining piece is giving Traefik permission to create those DNS TXT records. We need an Azure service principal scoped to just the DNS zone:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\"># Create a service principal with DNS Zone Contributor role\nSUBSCRIPTION_ID=\"your-subscription-id\"\nRESOURCE_GROUP=\"dns-rg\"\nDNS_ZONE=\"yourdomain.co.nz\"\n\nSCOPE=\"\/subscriptions\/$SUBSCRIPTION_ID\/resourceGroups\/$RESOURCE_GROUP\/providers\/Microsoft.Network\/dnszones\/$DNS_ZONE\"\n\naz ad sp create-for-rbac \\\n  --name \"traefik-acme\" \\\n  --role \"DNS Zone Contributor\" \\\n  --scopes \"$SCOPE\"\n\n# Output will include appId, password, and tenant \u2014 plug those into\n# AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID respectively<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Just remember the client secret expires (default is one year), so set yourself a calendar reminder or you&#8217;ll be debugging cert renewals in 12 months wondering what went wrong.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>There&#8217;s a quiet revolution happening in self-hosted software. Between Immich, Jellyfin, Home Assistant, Jitsi and a dozen others, you can build yourself quite a capable home or office setup without sending a single byte to the cloud. We&#8217;ve been running a stack of self-hosted services on our internal network for a while now \u2014 all &hellip; <a href=\"https:\/\/blog.wiseowls.co.nz\/index.php\/2026\/06\/07\/proper-ssl-certificates-on-your-local-network\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Proper SSL certificates on your local network&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":566,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[7],"tags":[43,44],"class_list":["post-1173","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-infrastructure","tag-docker","tag-ssl"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Proper SSL certificates on your local network - Timur and associates<\/title>\n<meta name=\"description\" content=\"How we used Traefik and Azure DNS to get proper Let&#039;s Encrypt wildcard certs for internal network services via DNS-01.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.wiseowls.co.nz\/index.php\/2026\/06\/07\/proper-ssl-certificates-on-your-local-network\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Proper SSL certificates on your local network - Timur and associates\" \/>\n<meta property=\"og:description\" content=\"How we used Traefik and Azure DNS to get proper Let&#039;s Encrypt wildcard certs for internal network services via DNS-01.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.wiseowls.co.nz\/index.php\/2026\/06\/07\/proper-ssl-certificates-on-your-local-network\/\" \/>\n<meta property=\"og:site_name\" content=\"Timur and associates\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-06T20:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blog.wiseowls.co.nz\/wp-content\/uploads\/2020\/06\/padlock-code.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"312\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"timur\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@TimurKh\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/index.php\\\/2026\\\/06\\\/07\\\/proper-ssl-certificates-on-your-local-network\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/index.php\\\/2026\\\/06\\\/07\\\/proper-ssl-certificates-on-your-local-network\\\/\"},\"author\":{\"name\":\"timur\",\"@id\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/#\\\/schema\\\/person\\\/34d0ed30d573b5bc317ea990bd2e0c59\"},\"headline\":\"Proper SSL certificates on your local network\",\"datePublished\":\"2026-06-06T20:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/index.php\\\/2026\\\/06\\\/07\\\/proper-ssl-certificates-on-your-local-network\\\/\"},\"wordCount\":715,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/index.php\\\/2026\\\/06\\\/07\\\/proper-ssl-certificates-on-your-local-network\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/wp-content\\\/uploads\\\/2020\\\/06\\\/padlock-code.jpg\",\"keywords\":[\"docker\",\"ssl\"],\"articleSection\":[\"Infrastructure\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/blog.wiseowls.co.nz\\\/index.php\\\/2026\\\/06\\\/07\\\/proper-ssl-certificates-on-your-local-network\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/index.php\\\/2026\\\/06\\\/07\\\/proper-ssl-certificates-on-your-local-network\\\/\",\"url\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/index.php\\\/2026\\\/06\\\/07\\\/proper-ssl-certificates-on-your-local-network\\\/\",\"name\":\"Proper SSL certificates on your local network - Timur and associates\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/index.php\\\/2026\\\/06\\\/07\\\/proper-ssl-certificates-on-your-local-network\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/index.php\\\/2026\\\/06\\\/07\\\/proper-ssl-certificates-on-your-local-network\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/wp-content\\\/uploads\\\/2020\\\/06\\\/padlock-code.jpg\",\"datePublished\":\"2026-06-06T20:00:00+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/#\\\/schema\\\/person\\\/34d0ed30d573b5bc317ea990bd2e0c59\"},\"description\":\"How we used Traefik and Azure DNS to get proper Let's Encrypt wildcard certs for internal network services via DNS-01.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/index.php\\\/2026\\\/06\\\/07\\\/proper-ssl-certificates-on-your-local-network\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/blog.wiseowls.co.nz\\\/index.php\\\/2026\\\/06\\\/07\\\/proper-ssl-certificates-on-your-local-network\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/index.php\\\/2026\\\/06\\\/07\\\/proper-ssl-certificates-on-your-local-network\\\/#primaryimage\",\"url\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/wp-content\\\/uploads\\\/2020\\\/06\\\/padlock-code.jpg\",\"contentUrl\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/wp-content\\\/uploads\\\/2020\\\/06\\\/padlock-code.jpg\",\"width\":1280,\"height\":312},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/index.php\\\/2026\\\/06\\\/07\\\/proper-ssl-certificates-on-your-local-network\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Proper SSL certificates on your local network\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/#website\",\"url\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/\",\"name\":\"Timur and associates\",\"description\":\"Notes of an IT contractor\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/blog.wiseowls.co.nz\\\/#\\\/schema\\\/person\\\/34d0ed30d573b5bc317ea990bd2e0c59\",\"name\":\"timur\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/23d55e17d4f0990ee4d12bc6e5dcfb58a292934efd62a185756876379e780b16?s=96&r=pg\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/23d55e17d4f0990ee4d12bc6e5dcfb58a292934efd62a185756876379e780b16?s=96&r=pg\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/23d55e17d4f0990ee4d12bc6e5dcfb58a292934efd62a185756876379e780b16?s=96&r=pg\",\"caption\":\"timur\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/TimurKh\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Proper SSL certificates on your local network - Timur and associates","description":"How we used Traefik and Azure DNS to get proper Let's Encrypt wildcard certs for internal network services via DNS-01.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.wiseowls.co.nz\/index.php\/2026\/06\/07\/proper-ssl-certificates-on-your-local-network\/","og_locale":"en_US","og_type":"article","og_title":"Proper SSL certificates on your local network - Timur and associates","og_description":"How we used Traefik and Azure DNS to get proper Let's Encrypt wildcard certs for internal network services via DNS-01.","og_url":"https:\/\/blog.wiseowls.co.nz\/index.php\/2026\/06\/07\/proper-ssl-certificates-on-your-local-network\/","og_site_name":"Timur and associates","article_published_time":"2026-06-06T20:00:00+00:00","og_image":[{"width":1280,"height":312,"url":"https:\/\/blog.wiseowls.co.nz\/wp-content\/uploads\/2020\/06\/padlock-code.jpg","type":"image\/jpeg"}],"author":"timur","twitter_card":"summary_large_image","twitter_creator":"@TimurKh","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.wiseowls.co.nz\/index.php\/2026\/06\/07\/proper-ssl-certificates-on-your-local-network\/#article","isPartOf":{"@id":"https:\/\/blog.wiseowls.co.nz\/index.php\/2026\/06\/07\/proper-ssl-certificates-on-your-local-network\/"},"author":{"name":"timur","@id":"https:\/\/blog.wiseowls.co.nz\/#\/schema\/person\/34d0ed30d573b5bc317ea990bd2e0c59"},"headline":"Proper SSL certificates on your local network","datePublished":"2026-06-06T20:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.wiseowls.co.nz\/index.php\/2026\/06\/07\/proper-ssl-certificates-on-your-local-network\/"},"wordCount":715,"commentCount":0,"image":{"@id":"https:\/\/blog.wiseowls.co.nz\/index.php\/2026\/06\/07\/proper-ssl-certificates-on-your-local-network\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.wiseowls.co.nz\/wp-content\/uploads\/2020\/06\/padlock-code.jpg","keywords":["docker","ssl"],"articleSection":["Infrastructure"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/blog.wiseowls.co.nz\/index.php\/2026\/06\/07\/proper-ssl-certificates-on-your-local-network\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/blog.wiseowls.co.nz\/index.php\/2026\/06\/07\/proper-ssl-certificates-on-your-local-network\/","url":"https:\/\/blog.wiseowls.co.nz\/index.php\/2026\/06\/07\/proper-ssl-certificates-on-your-local-network\/","name":"Proper SSL certificates on your local network - Timur and associates","isPartOf":{"@id":"https:\/\/blog.wiseowls.co.nz\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.wiseowls.co.nz\/index.php\/2026\/06\/07\/proper-ssl-certificates-on-your-local-network\/#primaryimage"},"image":{"@id":"https:\/\/blog.wiseowls.co.nz\/index.php\/2026\/06\/07\/proper-ssl-certificates-on-your-local-network\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.wiseowls.co.nz\/wp-content\/uploads\/2020\/06\/padlock-code.jpg","datePublished":"2026-06-06T20:00:00+00:00","author":{"@id":"https:\/\/blog.wiseowls.co.nz\/#\/schema\/person\/34d0ed30d573b5bc317ea990bd2e0c59"},"description":"How we used Traefik and Azure DNS to get proper Let's Encrypt wildcard certs for internal network services via DNS-01.","breadcrumb":{"@id":"https:\/\/blog.wiseowls.co.nz\/index.php\/2026\/06\/07\/proper-ssl-certificates-on-your-local-network\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.wiseowls.co.nz\/index.php\/2026\/06\/07\/proper-ssl-certificates-on-your-local-network\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.wiseowls.co.nz\/index.php\/2026\/06\/07\/proper-ssl-certificates-on-your-local-network\/#primaryimage","url":"https:\/\/blog.wiseowls.co.nz\/wp-content\/uploads\/2020\/06\/padlock-code.jpg","contentUrl":"https:\/\/blog.wiseowls.co.nz\/wp-content\/uploads\/2020\/06\/padlock-code.jpg","width":1280,"height":312},{"@type":"BreadcrumbList","@id":"https:\/\/blog.wiseowls.co.nz\/index.php\/2026\/06\/07\/proper-ssl-certificates-on-your-local-network\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.wiseowls.co.nz\/"},{"@type":"ListItem","position":2,"name":"Proper SSL certificates on your local network"}]},{"@type":"WebSite","@id":"https:\/\/blog.wiseowls.co.nz\/#website","url":"https:\/\/blog.wiseowls.co.nz\/","name":"Timur and associates","description":"Notes of an IT contractor","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.wiseowls.co.nz\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.wiseowls.co.nz\/#\/schema\/person\/34d0ed30d573b5bc317ea990bd2e0c59","name":"timur","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/23d55e17d4f0990ee4d12bc6e5dcfb58a292934efd62a185756876379e780b16?s=96&r=pg","url":"https:\/\/secure.gravatar.com\/avatar\/23d55e17d4f0990ee4d12bc6e5dcfb58a292934efd62a185756876379e780b16?s=96&r=pg","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/23d55e17d4f0990ee4d12bc6e5dcfb58a292934efd62a185756876379e780b16?s=96&r=pg","caption":"timur"},"sameAs":["https:\/\/x.com\/TimurKh"]}]}},"_links":{"self":[{"href":"https:\/\/blog.wiseowls.co.nz\/index.php\/wp-json\/wp\/v2\/posts\/1173","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.wiseowls.co.nz\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.wiseowls.co.nz\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.wiseowls.co.nz\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.wiseowls.co.nz\/index.php\/wp-json\/wp\/v2\/comments?post=1173"}],"version-history":[{"count":10,"href":"https:\/\/blog.wiseowls.co.nz\/index.php\/wp-json\/wp\/v2\/posts\/1173\/revisions"}],"predecessor-version":[{"id":1391,"href":"https:\/\/blog.wiseowls.co.nz\/index.php\/wp-json\/wp\/v2\/posts\/1173\/revisions\/1391"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.wiseowls.co.nz\/index.php\/wp-json\/wp\/v2\/media\/566"}],"wp:attachment":[{"href":"https:\/\/blog.wiseowls.co.nz\/index.php\/wp-json\/wp\/v2\/media?parent=1173"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.wiseowls.co.nz\/index.php\/wp-json\/wp\/v2\/categories?post=1173"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.wiseowls.co.nz\/index.php\/wp-json\/wp\/v2\/tags?post=1173"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}