Certificates for backup servers using proxy pass

danjde · May 9, 2017, 4:36pm

Hi friends,
I've two VPS, and I would like to know if should be possible to use as "controller machine" (as described here ) one of this my two server or if is necessary a third server.

Many thanks!

Will Let's Encrypt work for me? (Multiple servers serving one domain)

i can confirm this works.

location ~ /.well-known/acme-challenge/ {
proxy_pass http://ctrl.mydomain.com:80;
}

using nginx i added this location to ALL server blocks.

You then run lets encrypt on the machine ctrl.mydomain.com (this machine typically is the controller machine, and is not serving web stuff - its pure purpose from a web POV is to handle incoming cert requests - if you don't know what a controller machine is then read up on ansible)

To make it work I had to use the webroot plugin for Let's Encrypt. I could not get standalone mode to work.

my A records look like ..

www01.mydomain.com points to 1.2.3.4
www02.mydomain.com points to 2.3.4.5
ctrl.mydomain.com points to 3.4.5.6
mydomain.com points to 1,2,3,4 and 2,3,4,5 (multiple A records)
www.mydomain.com is an alias (cname) for mydomain.com

NGINX runs on www01 and www02 on port 80 to load balance requests (e.g. www01 load balances between www01 and www02, www02 ALSO load balances between www01 and www02)

the above lets encrypt location block is added to NGINX running on both www01 and www02 for all NGINX server blocks

now run lets encrypt in webroot mode (you will need to standup a web server on your controller machine) and request a single certificate for www01.mydomain.com www02.mydomain.com mydomain.com www.mydomain.com

when you run this command on your controller machine (ctrl.mydomain.com) it will fireoff a request to each of the 4 domains in return. Every single request will be proxied back to ctrl.mydomain.com via NGINX

bosh!
[..]

schoen · May 9, 2017, 8:19pm

Hi @dandje, it should be fine for one of the machines to be one of your web servers. It doesn’t need to be a separate machine.

danjde · May 10, 2017, 3:55pm

OK, I proceed then will follow a short report of mine to help other users.

thanks!

danday74 · May 11, 2017, 9:18am

Hi danjde,

I “think” you are asking, can the controller machine be an email server too. The answer is YES! Your solution sounds fine.

danday74

danjde · May 11, 2017, 2:18pm

Hi danday74 and thanks for your kind reply,
excuse me for my bad English, the question is:

to use one of the two email servers, as “controller machine” to get the certificates for both of themselves.

Thanks again!

danday74 · May 11, 2017, 2:44pm

yes thats fine as follows:

machine 1 - is controller machine and email server and is the machine on which to execute the lets encrypt CLI commands
machine 2 - this is an email server only and it should proxy pass let’s encrypt requests to machine 1

danjde · May 11, 2017, 3:00pm

Very thanks for your help danday74!
I wanted to be safe before doing disasters!

Thanks again

danjde · May 24, 2017, 3:47pm

Hi friends,
I’ve make all changes as suggested by @danday74, but when I run certbot:

certbot certonly --webroot -w /var/www/letsencrypt --expand -d server.sio4.org -d sio4.org -d www.sio4.org -d pop.sio4.org -d mail.sio4.org -d smtp.sio4.org -d server2.sio4.org [..]

Obtain the error:

Failed authorization procedure. server2.sio4.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://server2.sio4.org/.well-known/acme-challenge/Kqy88NRyl3ZXui2JoBa1AMRmtSkL40WdfpwKWy-KYCE: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: server2.sio4.org
   Type:   unauthorized
   Detail: Invalid response from
   http://server2.sio4.org/.well-known/acme-challenge/Kqy88NRyl3ZXui2JoBa1AMRmtSkL40WdfpwKWy-KYCE:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

To date I made these changes:

DNS entry: on sio4.org DNS, add record as “A” value “ctrl” to “91.205.175.213” (server.sio4.org)
DNS entry: on sio4.org DNS, add record as “A” value “server2” to (backup server) 5.189.166.16
DNS entry: add MX backup (server2.sio4.org -> 5.189.166.16) value on every “my” DNS domain

Add to every Virtual Domain Apache (only http and not non https):

 `ProxyPass "/.well-known/acme-challenge/" "http://ctrl.server.sio4.org:80"`

Maintained the Apache Letsencrypt configuration:

Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
<Directory “/var/www/letsencrypt/.well-known/acme-challenge/”>
Options None
AllowOverride None
ForceType text/plain

avoid access to anything not resembling a challenge

#RedirectMatch 404 “^(?!/.well-known/acme-challenge/[\w]{43}$)”
enabled on server.sio4.org Apache proxy module: a2enmod proxy
Checked the Apache accuracy configuration: apachectl configtest

Should I delete the current Letsencrypt configuration/folder and run again certbot?

Any help is very appreciate, GASP!

schoen · May 24, 2017, 4:44pm

If you create /var/www/letsencrypt/test.txt, can you see it at http://server2.sio4.org/test.txt?

If you create /var/www/letsencrypt/.well-known/acme-challenge/test.txt, can you see it at http://server2.sio4.org/.well-known/acme-challenge/test.txt?

If not, your Apache configuration is still not correct yet.

system · June 23, 2017, 4:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Certificates for backup servers using proxy pass

avoid access to anything not resembling a challenge