I’ve used .local as the TLD internally in the homelab since the beginning. This is not a good idea for several reasons, and I decided it was about time to remove it and start using my own domain for internal services.

Updating the step-ca config

I wanted to expose the step-ca service outside of the k3s cluster using a domain name different from the current step-ca.local. This requires changing the dnsNames property in the configuration file (this is the same as passing a new value to the --dns flag when bootstrapping the creation of a CA).

The resulting section dnsNames in ca.json then becomes:

{
  ...
  "dnsNames": [
    "step-certificates.step-ca.svc.cluster.local",
    "step-ca.homelab.fredrickb.com",
    "localhost"
  ],
  ...
}

I had step-ca.local as a temporary entry while migrating the services over to the new domain. The config above is the final result after completing the migration process.

Updating the OPNsense Unbound DNS config

Adding the new domains in the OPNsense Unbound DNS host overrides (kudos to Home Network Guy for the tutorial):

Screenshot of new OPNsense DNS overrides

Updating the Proxmox config

In the Ansible playbook I use for my Proxmox hosts I changed the host used for the ACME account to the following:

# roles/add-acme-certificate/vars/main.yaml
step_ca_url: https://step-ca.homelab.fredrickb.com/acme/acme/directory

And then the domain used for the hosts themselves:

; inventory.ini
10.0.2.2 domain=pve2.homelab.fredrickb.com name=pve2
10.0.2.3 domain=pve3.homelab.fredrickb.com name=pve3

Ordering a certificate for the Proxmox hosts now uses the new domain name of the step-ca service:

Screenshot of TLS certificate being provisioned to Proxmox host

Accessing one of the Proxmox hosts using a new domain with a valid cert:

Screenshot of one of the Proxmox hosts after updating DNS records and TLS certificate provisioning

Updating the Ingress config

In Kubernetes its just a matter of updating the domain in the Ingress and let the existing step-issuer provision new certificates.

Below is a snippet from the Grafana ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/issuer: step-issuer
    cert-manager.io/issuer-group: certmanager.step.sm
    cert-manager.io/issuer-kind: StepClusterIssuer
  labels:
    ...
  name: grafana
  namespace: grafana
spec:
  ...
  rules:
    - host: grafana.homelab.fredrickb.com
      ...
  tls:
    - hosts:
        - grafana.homelab.fredrickb.com
      secretName: grafana-tls-cert

Accessing Grafana using the new domain with a valid cert:

Screenshot of Grafana after updating DNS records and TLS certificate provisioning

Conclusion

Every service in the homelab now uses *.homelab.fredrickb.com instead of *.local.

Updated: