2 computers, 1 IP at home


#1

First, let me say that I’m not a network engineer and my knowledge in Linux is limited to following examples and writing in high level languages (I’m learning PHP but with a Windows background).

I’m trying to set up a second linux server at my house. The first server was set up without issues. I was able to get a free domain from freenom.com and set up routing of port 443 & 80 from the WAN to my LAN. However, I am trying to set up a second linux server so I can write PHP code on a server (for a nonprofit I’m working on). However, since Server A already uses port 80 & 443 at my IP address, I can’t get certbot/let’s encrypt to work on different ports. For example, I wanted Server B to have a certificate accessible at https://myorganization.ml:5443/.

when I run: sudo certbot --apache -d myorg.ml -d www.myorg.ml , I get a rather complex error reply… (below, real domain name changed)

How do I get 2 different linux computers encrypted behind the same IP?

Thanks

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for myorg.ml
http-01 challenge for www.myorg.ml
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. myorg.ml (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://myorg.ml/.well-known/acme-challenge/yCGuhk3MqfkwmZzPJVp2xmGUOD2aBLo-AdqkiksZPhg: q%!(EXTRA string=<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p), www.myorg.ml (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.stellar7.tk/.well-known/acme-challenge/GAiVLyGMG8W1PYGyORNX2bYgUoVQ5Yt2D45jrOkjyjc: q%!(EXTRA string=<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: myorg.ml
   Type:   unauthorized
   Detail: Invalid response from
   http://myorg.ml/.well-known/acme-challenge/yCGuhk3MqfkwmZzPJVp2xmGUOD2aBLo-AdqkiksZPhg:
   q%!(EXTRA string=<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p)

   Domain: www.myorg.ml
   Type:   unauthorized
   Detail: Invalid response from
   http://www.myorg.ml/.well-known/acme-challenge/GAiVLyGMG8W1PYGyORNX2bYgUoVQ5Yt2D45jrOkjyjc:
   q%!(EXTRA string=<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

#2

Hi,

It’s fine…I’m a high school student… I know NOTHING…

Normally you’ll need a proxy that stand before both server (or on one server) that proxy visitors to the correct server…

By the way, certbot will not accept connections that originate not from regular ports… (Which means port 8443 will probably not work to obtain a certificate)

Also, you could request the certificate on the first machine (the forwarding one and transfer the certificate to the second machine)

Thank you


#3

Ideally, use DNS validation. Alternatively, obtain both certs on the first machine, and script deployment of the cert for the second machine.


#4

Also, after you have obtained the certificate, you can use it on any port. You can’t obtain a Let’s Encrypt certificate by performing a validation to port 8443, but you can use a Let’s Encrypt certificate for a service on port 8443.


#5

Right now I have the router forwarding Port 80 & 443 traffic to Server A. If I configure the router to send Port 80 & 443 traffic to Server B, I should be able to get a let’s encrypt certificate?

Then I can switch the router back to sending 80, 443 —> Server A and 8080, 8443 --> Server B?

Will the automatic recert still work with Server B using Ports 8080 (http) and 8443 (https)?


#6

Sure.

No, Let’s Encrypt needs to validate domain control every time you renew the cert–which means they need to be able to reach you on port 80 if you’re using HTTP validation.


#7

Can you configure Server A to reverse proxy port 80 traffic for the hostname to Server B? Then HTTP validation could work.


#8

Unfortunately I do not have this knowledge. I can configure my home-use router, set up a few port direction rules, and run well written instructions. I can write software in a few high level languages but I’m totally clueless when it comes to Linux and networking.


#9

It’s not really that hard, using Google with key words reverse proxy and the name of your webserver would give lots of good results.

Just remember you need two “parts” of your webserver configuration: first, a normal virtualhost for website A and second the reverse proxy part in a virtualhost for website B.

Also, you can use server A as the SSL termination point for website B: clients will access server A on port 443 for website B, server A has the SSL certificate and will connect to port 80 on server B to get the actual content of website B to passthru to the client. Unless your internal network is unsafe, this is totally fine. And will keep things simpel, as you only have to run certbot on server A.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.