2 serveurs nginx, chacun avec un domaine, derrières une seule IP publique

Help Aide (en français)
1

Je peux lire des réponses en Anglais : moyen...
Mon nom de domaine est : x.ovh et y.ovh
J’ai exécuté cette commande :
. pour x.ovh le certificat est géré par yunohost
. pour y.ovh j'ai utilisé (sans succès) : sudo certbot certonly --standalone -d y.ovh
Elle a produit cette sortie :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for y.ovh
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. y.ovh (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://y.ovh/.well-known/acme-challenge/R_1dgSCxTAN6QvnYs0LCHJaPZX67o7CwbJxR1oiuRFE [82.65.30.X]: "\r\n404 Not Found\r\n<body bgcolor="white">\r\n

404 Not Found

\r\n
"

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: y.ovh
    Type: unauthorized
    Detail: Invalid response from
    http://y.ovh/.well-known/acme-challenge/R_1dgSCxTAN6QvnYs0LCHJaPZX67o7CwbJxR1oiuRFE
    [82.65.30.X]: "\r\n404 Not
    Found\r\n<body bgcolor="white">\r\n

    404
    Not Found

    \r\n
    "

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

Mon serveur Web est (inclure la version) :OMV 5 (openmediavault) on raspberry 3 b+ (5.5.23-1(Usul) ARMv7 Linux 5.10.11-v7+)
J'ai également tenté avec l'image docker LinuxServer SWAG docker image (même résultat)
Mon serveur Web est (inclure la version) : raspberry pi 3 b+
Le système d’exploitation sur lequel mon serveur Web s’exécute est (version incluse) :
OpenMediaVault(OMV) sur raspberry 3 b+ (5.5.23-1(Usul) ARMv7 Linux 5.10.11-v7+
J'ai également essayé avec docker via LinuxServer SWAG docker image
Mon hébergeur, le cas échéant, est : moi-même avec une IP fixe publique (IPv4)
Je peux me connecter à un shell root sur ma machine (oui ou non, ou je ne sais pas) :
Oui
J’utilise un panneau de configuration pour gérer mon site (non, ou fournit le nom et la version du panneau de configuration) : OMV comme indiqué plus haut, mais en réalité je fais tout par le terminal SSH.

Bonjour à tous et désolé de vous embêtez mais je ne trouve pas de solution au regard de ma situation.

J'ai un gros serveur que j'utilise pour un usage pro reposant sur yunohost avec un nom de domaine (x.ovh) , et c'est yunohost qui générè et renouvelle le certificat letsencrypt pour ce domaine.

Naturellement, la box pointe (notamment) les ports 80 et 443 vers ce serveur.

J'ai par ailleurs un 2° mini serveur sur le même LAN, en l'espèce un raspberry 3b+ sous OMV 5, avec un nom de domaine dédié: y.ovh

Pour arriver à joindre ce mini serveur, j'utilise l'application redirect (nginx proxy pass invisible) de yunohost pour demander de rediriger toutes les requêtes vers y.ovh sur l'IP locale du raspberry équipé d'un docker nginx dernière version.

J'arrive sans problème à accéder à ce serveur nginx.

Hélas, je ne parviens jamais à générer un certificat letsencrypt sur le raspberry (cf. message d'erreur plus) (méthode http) pour pouvoir par la suite l'intégrer à nginx.

Je présume que la redirection depuis yunohost perturbe le travail de vérification, plantant la génération de certificat.

Aussi, je vous remercie de m'indiquer comment je peux arriver à obtenir un certificat pour ce 2° nom domaine.

Je m'interroge notamment sur le fait de demander directment à yunohost de générer le certificat pour y.ovh ? Est-ce que celui-ci pourrait résoudre le problème ou faudra-t-il (si cela est possible) récupérer le certificat sur le serveur yunohost pour le copier sur le raspberry ?

Ne maitrisant pas bien le fonctionnement de la certification, je ne voudrais pas au passage me bousiller le certificat letsencrypt fonctionnant pour x.ovh.

Je précise encore que j'ai également voulu tester la méthode via DNS, sans succès car la génération de token plante systématiquement via ce lien:
https://api.ovh.com/createToken/

Merci de votre aide :slight_smile:

2

Hi @crocodudule,

If I understood this correctly, you have two server machines on the same home LAN, with only one public IP address. You use different domain names to refer to them, and you want each one to be able to get its own certificate for its own domain name, but you can only forward port 80 to one device or the other, so the device to which port 80 is not forwarded can't complete the challenge from the Let's Encrypt CA.

Some people in this situation have created a more sophisticated proxy_pass rule in nginx, where a request in /.well-known/acme-challenge is served from the nginx server's own local disk if the file exists, and if not, it will proxy_pass it to a different host. That could probably work in this case because then the nginx instance could pass its own challenges (by creating files) and could also facilitate the other device's challenges (by forwarding the HTTP requests to the other device). I don't know enough nginx syntax to describe how people accomplish this.

A certificate is just a text file and its validity is not in any way connected to a particular physical device or software environment. The same certificate (with its corresponding private key) can be copied onto a different device and work correctly there. So you also have the option to obtain the certificate on a different device and then copy it onto the device where you want it to be used. This process might be a little bit more difficult to automate, although ACME clients like Certbot and acme.sh typically provide "deployment hooks", which is a way of asking the ACME client to run a script for "deployment" whenever a new certificate is obtained. That script could then copy the new certificate (and certificate chain and private key) onto another machine.

I'm not familiar with Yunohost so I don't know whether there's any way in which it would become confused by this process. However, from the point of view of the certificate technology, it is completely acceptable.

If you can share the specific command and specific error message, maybe someone on this forum will understand what the problem could be. The DNS challenge method is also usually a good one when there is some reason that it's hard for a server to accept incoming TCP connections on port 80 from the rest of the Internet.

2 Likes
3

Thank you very much for your answers !

Finally the token generator of OVH worked, so I try the validation by DNS

For that, i use the SWAG container here
https://docs.linuxserver.io/general/swag#simple-html-web-page-hosting
With this setting (extract) :
- TZ=Europe/Paris
- URL=y.ovh
- SUBDOMAINS=wildcard
- VALIDATION=dns
- DNSPLUGIN=ovh

I put the "application key", the "application Secret" and the "consumer key" in ovh.ini file, and i restart de container.

But that's still fail, with message:
Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Wildcard cert for y.ovh will be requested
No e-mail address entered or address invalid
dns validation via ovh plugin is selected
nerating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-ovh, Installer None
Requesting a certificate for *.y.ovh and y.ovh
Performing the following challenges:
dns-01 challenge for y.ovh
dns-01 challenge for y.ovh
Cleaning up challenges
Error determining zone identifier for y.ovh: 403 Client Error: Forbidden for url: https://eu.api.ovh.com/1.0/domain/zone/y.ovh/status. (Are your Application Key and Consumer Key values correct?)
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/ovh.ini file.

I think the problem is token generation, for information the token generator is here:
https://api.ovh.com/createToken/

My "token configuration" is:
GET /domain/zone/
GET /domain/zone/y.ovh/*
POST /domain/zone/y.ovh/*
DELETE /domain/zone/y.ovh/*

Can you help me enter the correct parameters? Thanks again :slight_smile:

1 Like
4

Ok, I had forgotten PUT /domain/zone/y.ovh/* in configuration.

Validation worked now!

But yunohost interlayer the certificate of the first domain (and so i have a security alert...).

I will try to generate y.ovh certificate on yunohost and see if it's work ... I wish myself good luck ^^

5

Drum roll.... It's work and it's the easiest way !

Yunhost create the certificate of the second domain, then i use the application "redirect" of yunohost, and it's redirects all requests to the 2nd machine with the good certificate... It works perfectly !

I kinda want to cry, all this work for nothing ! :rofl:

Thank you again for your help :slight_smile:

2 Likes