Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Feature request: Use Public CA cert and sign SSL cert so reverse proxy can use ca public cert to trust Technitium web server #1505

New issue
New issue
Open
Open
Feature request: Use Public CA cert and sign SSL cert so reverse proxy can use ca public cert to trust Technitium web server#1505
@Anutrix

Description

@Anutrix
Anutrix
opened on Nov 6, 2025

Currently, Technitium DNS server web console accessible these ways:
Technitium DNS server LXC -> https://ns1.sub.example.lan:53443
Caddy reverse proxy LXC -> https://ns1.sub.example.com

Goal is to keep *.lan for direct access and *.com for access via reverse proxy like Caddy.

Inside caddy config, I have Let's Encrypt certificate configured along with other subdomains for other use. It looks like this:

*.sub.example.com {
        tls {
                dns cloudflare {env.CF_API_TOKEN}
        }

        @ns1 host ns1.sub.example.com

        handle @ns1 {
                reverse_proxy ns1.sub.example.lan:53443 {
                        transport http {
                                tls
                                tls_insecure_skip_verify
                        }
                }
        }
}

*.example.com {
        tls {
                dns cloudflare {env.CF_API_TOKEN}
        }

        @pve host sub.example.com

        handle @pve {
                reverse_proxy sub.example.lan:8006 {
                        transport http {
                                tls_trusted_ca_certs  /var/lib/caddy/pve-root-ca.pem
                        }
                }
        }
}

Above works perfectly but the problem, as you can see, is that for Technitium DNS I need to use tls_insecure_skip_verify instead of tls_trusted_ca_certs.

For pve(Proxmox server) I could just use its public ca cert to trust it. I was expecting to do the same for Technitium.
I am using 'Use A Self Signed TLS Certificate When TLS Certificate File Path Is Unspecified' option in Technitium settings. Unfortunately, Technitium's TLS cert is self-signed but stored at /etc/dns/self-signed-cert.pfx as single public-private bundle at https://github.com/TechnitiumSoftware/DnsServer/blob/767f764f4f088d9ea7df065277aa0a2a2c8352f3/DnsServerCore/DnsWebService.cs#L947C21-L947C124
Considering it contains private key I don't want to take it out and use it.

IMHO ideally, when above setting is enabled, Technitium should create long-lasting(~10 years) self-signed CA certificate dns-root-ca.pem and then sign ssl certificate(1-2 years maybe) dns-ssl.pem which gets periodically renewed like normal.
My feature request is basically this.

Workaround might using existing rootCA like Proxmox to sign Technitium's TLS certificate and use it.

I am willing to contribute but I've never compiled Technitium project before and may take a while for a PR. Also, do correct me if there's any mistake in my explanation and understanding.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions