Can we have two standalone reverse proxies operating side by side on the same network and request certificates for both for the same domain while using different URL´s?

interlogsolutions · September 30, 2020, 12:52pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: interlogsolutions.net

I ran this command:

It produced this output:

My web server is (include version): nginx

The operating system my web server runs on is (include version): Debian GNU/Linux 8 (64-bit)

My hosting provider, if applicable, is: Adista

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): we are using certbot but not sure the version

our question is:
Can we have two standalone reverse proxies operating side by side on the same network, and request certificates with certbot for both for the same domain while using different URL´s and certificates?

bruncsak · September 30, 2020, 1:21pm

I understand the reverse proxies are serving the same domain, and want individual, unique certificates, but what do you mean by different URL's? May be different backend URLs the requests to be proxied?

interlogsolutions · September 30, 2020, 2:17pm

Hi bruncsak and thank you for your quick replly.
We would like to have one of the reverse proxies with a URL example: https://hosting1.interlogsolutions.net pointing to 10.0.0.1 ( internal web server) and the second reverse proxy (on a another external IP adress) https://hosting2.interlogsolutions.net pointing to 10.0.0.2 ( the second internal web server).Is it possible to request certificates for each one of the reverse proxies ?

jvanasco · September 30, 2020, 4:12pm

Those are each two different "Fully Qualified Domain Names", so there is no problem. You are limited to 5 IDENTICAL certificates per week, and 50 certificates per "registered domain".

"interlogsolutions.net" is your "registered domain" and you are limited to 50 new certificates per week that include domains within that registered namespace (eg. interlogsolutions.net, hosting1.interlogsolutions.net, app.hosting1.interlogsolutions.net)

You just want to request two certificates, one for:

hosting1.example.com

and one for:

hosting2.example.com

rg305 · September 30, 2020, 9:52pm

You only detailed the inside leg of the proxies.

Are both proxies going to use the same external IP (load-balanced)?

If not, is there going to be a third FQDN that will be used to share access (DNS load balance) to both proxies (like: "hosting.interlogsolutions.net")?

I think we don't have the full picture (yet)...
Hard to give a 100% certain answer without it.

interlogsolutions · October 1, 2020, 12:17pm

Perfect,thank you for your repply on the matter, jvanasco

interlogsolutions · October 1, 2020, 12:22pm

hi rg305 , regarding your first question, no, they will not have the same external ip adress - (no load balanced just 2 standalone reverse proxies side by side co-exusting on the same network with different internal and external ip´s.
regarding your second question: no, the whole idea is to have a second standa lone reverse proxy to server other internal web servers. the only thing both reverse proxies will share is only the domain name interlogsolutions.net. We just need to know if we can share the same domain name (nottheURL´s names) between the 2 reverse proxies and generate certificates for each one of the proxy servers.

rg305 · October 1, 2020, 12:31pm

This seems misleading to me...
OK they will have their own independent names/IPs/etc.
For that, just treat them separately as @jvanasco mentioned - they don't need to know anything about each other and will not conflict.
For this shared name... "interlogsolutions.net": You will only be able to get a cert for that name (via HTTP authentication) at the IP that it resolves to.
So, I ask again (this time in a different way):
Is there going to be an FQDN ("interlogsolutions.net") that will be used by both proxies?
If not, where will that named be served securely ("https://interlogsolutions.net")?

interlogsolutions · October 1, 2020, 12:47pm

HI rg305. I might not being able explain myslef very (sorry about that). lets try´s something different:
Example of the scenario we will like to implement:
First reverse proxy config:
external URL (or FQDN): website1.interlogsolutions.net -> pointing to: External IP: 201.201.201.201 -> DMZ into internal reverse proxy 10.0.0.1 -> pointed to internal web server 192.168.50.1
Second proxy:
external URL (or FQDN): website2.interlogsolutions.net -> pointing to: External IP: 201.201.201.202 -> DMZ into internal reverse proxy 10.0.0.2 -> pointed to internal web server 192.168.50.2

Our initial question was, can we request the generation of certificates for both reverse proxies with certbot without each other interfering on the "letsencrypt.org" root CA server?
Thank you

rg305 · October 1, 2020, 4:38pm

OK that answer is yes.
You can do that with no problem.

Cheers from Miami

interlogsolutions · October 1, 2020, 4:39pm

Perfect! Many thanks for all your valuable inputs. Cheers from Portugal.