The trick is to use a ‘reverse proxy’ which is then the service that answers all connections you provision it to.
I use haproxy
as my proxy and acme.sh
as my ‘certificate bearer’,
haproxy has ‘front-ends’ to answer connections and ‘backends’ that describe the ultimate service that will react to connection attempts.
haproxy has two flavors, HTTP and TCP for front-end connections,
so an example front-end would ONLY answer to connections to ‘http(s)://switch.corporate.com/’ but would rewrite port 80 to port 443 and if the resultant certification is kosher, it will forward such connections (with the certificate stripped) to http://127.0.0.1/admin/ucp/, which is part of opensource FreePBX,
Perhaps another ‘front-end’ that ONLY answers to https://noneofyoureffingbusiness.link/’ and forward to a back-end that redirects to http://127.0.0.1:/admin/` which is also part of opensource FreePBX,
Now for TLS connections our TCP front-end only answers to zzyzzx.fart:5061 that forwards successful to a TCP transport on Asterisk running on 127.0.0.1:5060 (that transport’s 127.0.0.1 is awkward to construct in the gooey but can be done, the 5060 is just where TCP defaults to, (I guess you could use 0.0.0.0:5060 but that is just plain sloppy in this scenario and then needs all those blacklists and fail2ban ipsets, whatever as 0.0.0.0 includes ethx/enx/wifi ).
(provisioning similarly).
Now we can tune TLS bindings to get an A+ on sslabs for all three of these domains
If we add a ‘strict-sni’ ssl option to your front-ends then there is no sign that the external ip of your box is listening to IP based connection to TCP 80, 443, 5060 or 5061 and UDP is not responsive to any port to the drive-bys that are 99.9% cause of your current angst
Because none of your domain names will leak to an IP probe, having knowledge of one name is unlikely to leak other ones which kinda beats the remaining 0.01%, who are probably insiders anyway, into submission.
Now acme.sh is a lovely acme client written by Neil Pang that easily allows you to use one of 150 common ‘name services’ to issue as many certs as you want from various CA’s using API’s and acme’s DNS-01 protocol
that precludes any need to have your local web servers be involved with that process, there is no need for pinholes, reserved ports etc that HTTP-01 protocol requires.
acme.sh also has ‘deployment’ scripts for haproxy along with mikrotik, unify and . . . . lots
Now throw in SSH or HomeAssistjnt or Plex or most any TCP layer connection, all can be similarly protected
That should be the last time you need to get involved with certificates as a cron-job will efficiently track daily any need to renew.
To get incredibly funny but cheap domain names go to namecheap.com, Many cloud providers provide complementary ‘name service’ with API’s that acme.sh knows about and namecheap will easily let you change the NS destination of your $12/year domain.
Further haproxy is already part of ‘the distro’ so already installed
IWFM and my /etc/haproxy/haproxy.cfg is less than 200 lines