Confused re multiple hosts needing SSL

My domain is: camerongardens.co.uk

My understanding is that in order to renew LE certs port 80 needs to be accessible on the hosts. If I have multiple hosts on the LAN then I think I have to use a reverse proxy to sort this. Can anyone point me to an intelligible guide that does not refer also to Docker? All the YT vids seem to be docker-centric and in this instance docker isn't a thing!
And if I am wrong in my assumptions, please obvs correct me!
Thanks

1 Like

If you only have one external IP, and you need separate certs [on multiple systems] behind it, then yes, you will need to proxy some of those challenge requests.

Installing/configuring a reverse proxy is very straightforward.
Pick a system that will run the web proxy service.
Forward external port 80 to that system.
Install the web server.
Configure it to proxy the FQDNs necessary.
Install the ACME clients on those other systems.
Use client to obtain cert [on each internal system].

6 Likes

How are you getting your certs today? Because I see a long history of using and renewing certs for that domain (see crt.sh here)

Also, you could consider having one host using a DNS Challenge and distribute the cert to your other hosts. Your DNS provider Cloudflare is one of the easier ones to automate.

6 Likes

Can you describe your network architecture?

5 Likes

It should be perfectly possible to just run e.g. a nginx instance without Docker on your to be reverse proxy. For nginx there's an official certbot-nginx plugin for the certificate management using Certbot. There are also other reverse proxy softwares possible e.g. Caddy, which has build-in ACME support for certificates or e.g. HAProxy, for which a third party certbot-haproxy plugin is available.

You could even use Apache with mod_md as a reverse proxy (I'm running Apache, but not as a reverse proxy), but most users here I believe prefer nginx for some reason. I dunno why :man_shrugging:

6 Likes

While I have nothing against nginx, I'm with you in Club Apache using mod_md. I still can't help but think that the reasoning is akin to the following clip even though there are undoubtedly other reasons people use nginx.

5 Likes

I'm still waiting for good modern efficent OS, Web Browser, and Web Server. Guess if I hold my breath that long the problem will go away. :rofl:

4 Likes

"Configure it to proxy the FQDNs necessary."

Thanks, but the reason I asked the question is I do not understand how to configure a reverse proxy. As you will see from my OP I was asking to be referred to a simple guide that I can follow. If I am being pathetically honest, the whole cert system in practical terms mystifies me. And I'm no idiot!

1 Like

The web dev does the certs for the hosted web server. I have no involvement in that, rightly or wrongly.

SIngle subnet behind pfSense. Various services running on dedicated boxes and vm's on LAN that need to be able to respond to https requests from inside and out, and need to be able to renew those LE certs.

1 Like

Mike my issue is that up to now all I know is to open port 80 to the host in order to renew the LE cert then close it again. I am trying to learn how to not have to feck about manually opening and closing ports on the 3 or 4 services that I need LE certs on.

I assume that I port forward all queries on 80 (and 443?) to the nginx ip?
What I am trying to understand is how this config below would be configured so that the right query goes to the right host. Say I have 3 internal hosts of say wiki.domain.dom, mailstore.domain.dom:8462, and webmail.domain.dom:5000 how do I 'direct' the incoming traffic that hits nginx to the right host?
(I accept that the config below might be wrong, as I cannot seem to understand the mechanics properly)

server {
listen 80;
listen [::]:80;

server_name wiki.local.camerongardens.co.uk;

location / {
    proxy_pass app http://10.0.69.29;
    include proxy_params;
}

}

1 Like

pFsense might be able to assist with the one-to-many HTTP problem.
I think it can route HTTP connections based on SNI - but I haven't used it in a while...
Not sure if that would much help if you also need to reach those internal systems via HTTPS [from the Internet]. But we haven't spoken about that yet.

4 Likes

I prefer to use the same name in the proxy request.
That, of course, requires one to "use the [DNS] force".
Like, by adding an entry in the local hosts file:
10.0.69.29 wiki.local.camerongardens.co.uk

server_name wiki.local.camerongardens.co.uk;
proxy_pass app wiki.local.camerongardens.co.uk;

[What does "app" do in that line?]

4 Likes

This design can be a pain because of limitations of routing on pfSense. I haven't really touched it in 10+ years, so I'm going to talk about some abstract concepts.

Depending on capabilities, I think you have a few possible options to get certificates:

  • Run Certbot on every machine, and route requests to hosts based on FQDN. I do not know if pfSense supports this. An alternate way to attempt this is to route all port 80 traffic onto one machine, and then use that machine to redistribute traffic across the network. This is not ideal, but it gets around situations where you don't have adequate routing on the gateway by FQDN but only by port.
  • Run Certbot on 1 machine, and route all requests on port 80's /.well-known/acme-challenge onto that machine. I do not know if pfSense supports URL based routing like this.
  • Run Certbot on 1 (or more) machine and use DNS-01 challenges. You can use acme-dns to handle this by installing it on your network and delegating authority to it.

You should only use Certbot on multiple machines if the domains are different. If the domains are the same, the best option is to use 1 machine and then deploy the certificates onto the other machines.

If any of these 3 general methods appear to be more possible to implement than the others, we can help you get it working.

5 Likes