1 public IP; 1 router; 2 hosts/devices; 2 LE certs - How to pls?

My initial domain is: barracu.com
The operating system my web server runs on is (include version): Synology DSM 6.2.3.x
I can login to a root shell on my machine: yes
I can/would-like-to-continue-to use a control panel to manage my site.

I have 2 Synology devices (NAS & Router) behind 1 internet router. I would like to have both devices deploying/implementing an LE cert (whether the same multi-subdomain cert or a wildcard cert or 2 different domains)
All reading however, points to needing to have 80 open and fwd’d to the host/device deploying the LE cert. (https://letsencrypt.org/docs/allow-port-80/)

I don’t know of a way - perhaps other than a reverse proxy setup - to forward the one port to 2 different hosts.

Is that the only way I’m likely to be able to achieve the objective pls?

Or does anyone have a really clever way of achieving this pls?

1 Like

This is the way, unless you want to try something exotic like a reverse tunnel to an outside host (Cloudflare Argo Tunnel, a Linux VPS, whatever).

1 Like

Thanks the prompt response _az.

I can see that working for 2 different domains. (assuming the Synology plays ball). But would/does LE support that with a wildcard cert request for same domain being setup from 2 different hosts/devices?

1 Like

I’m not sure I understand the question.

Your reverse proxy would serve one or more certificates, for whatever domain is requested. It’s necessary that the SSL is terminated at the reverse proxy, otherwise it can’t do it’s job to forward the requests to your internal hosts.

How that request is then forwarded on your internal network is up to you - Let’s Encrypt has no opinion on it.

1 Like

Fair comment.

My issue is the NAS serves up an application via reverse proxy already which works fine. What I now want to do is use an LE cert in the Router as the cert for a VPN endpoint. So, calls to the Router based VPN would come in directly to the router as opposed to being reverse proxied via the NAS.

The only thing I would want/expect to RP to the router would be LE’s 80 call to check ownership/challenge, etc. The cert/SSL itself would have to be terminated on the Router.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.