I don’t think I’m understanding the nuances of SSL Cert verification.
Internet ------>Apache Reverse Proxy-----LAN----->Apache Web Server
I have LE certs installed that make the SSL connection between Internet and Proxy Server, however I’m trying to encrypt the backend connection between the Reverse Proxy and Local Apache Web Server
Within my LE cert – I have it setup kind of a SAN or with multiple domains. The reverse proxy has one domain, and the internal Web Server is known as another domain. My pfSense local Domain Name Server or DNS resolver has the local IP address of the Apache Web Server mapped to the domain name of the Web Server. Both the reverse proxy and internal web server have copies of the LE certificates that were distributed by other means described on these forums: Automated deployment of key/cert from reverse proxy to internal systems
I can get the backend encrypted with the following Apache directives run on the proxy server:
I’m no expert on SSL --> However I think these statements tell the client to encrypt but don’t very authenticity of the server.
When I enable these options (for example):
the error logs suggest I then need a SSLCACertificate file. I was hoping to use the LE fullchain.pem file for this however this clearly didn’t work.
Ive seen others suggest use of an internal CA and selfsigned certs to get around this problem. I’m not sure how to do this unfortunately.
I just wanted to confirm that I can not do the backend SSL encryption/verification using LE certs.