Cannot create certificates for guest machines

_classicniall · March 29, 2022, 6:17pm

I have a hypervisor set up with multiple virtual/guest machines running on it (below are the domains).
I've got nginx reverse proxy running on the hypervisor, and split DNS for me to access internally (no loopback/hairpin router for me).

I mention that, because I'm not sure if it makes a difference.

I have all the sites set up correctly, and can access them, but I cannot get the certificates to work.
Googling "Certbot Reverse Proxy" has led to nothing useful, as it just basically is "install letsencrypt on nginx"; nothing useful about reverse proxy.

I can see after generating the certificates on the host machine (the hypervisor), the config files are updated, but viewing the sites still has the insecure warning, or basic HTTP.
I've tried running certbot on the guest machines, but they always fail the validation (I assume because of the setup).

My domains are:
onedev.classicniall.co.uk, zulip.classicniall.co.uk, owa.classicniall.co.uk

My web server is (include version):
Dell HyperVisor

The operating system my web server runs on is (include version):
Ubuntu 20.04

My hosting provider, if applicable, is:
Self-hosted

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
N/A

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot --nginx

Osiris · March 29, 2022, 7:57pm

Looks like your nginx is "speaking" HTTP on port 443 instead of HTTPS, so that's pretty bad.. Something must be off with your nginx configuration.

Please share the entire output of nginx -T.

rg305 · March 30, 2022, 12:31am

Please show the output of:
ls -ls /etc/nginx/sites-enabled/

webprofusion · March 30, 2022, 2:42am

Keep in mind it's the first public webserver you hit that your trying to setup the certs on, regardless of how your backend is implemented it's the thing that terminates the TLS conversation that matters. I this case, it's your nginx that will be doing all the work (then proxying back to your internal sites), so I'd argue you want to run certbot on your hypervisor host, not the individual VMs. (although you can also do that)

For Let's Encrypt http validation to work they will make an http (tcp port 80) request to each website, if you have instead configured your hypervisor to try to speak TLS on port 80, it will all break as @Osiris mentioned, so remove that SSL config on port 80 and just keep that for port 443.

_classicniall · March 30, 2022, 9:28am

Thanks for all the replies, advice and info.

I think it had something to do with the nginx config.
I deleted all previous configs and set them up again. Running the certbot --nginx seems to have done the trick.
A couple of sites aren't working, but that could be because of the cache or the service running on them.

I'm taking that it's working properly, since the majority of the sites is secured

system · April 29, 2022, 9:29am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.