Copying SSL certs to firewalled servers


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: local.houwire.com

I ran this command: sudo certbot --apache -d local.houwire.com

It produced this output: Obtaining a new certificate

My web server is (include version): apache 2.4.6

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi,

Can you explain your problem?

Thank you


#3

Hi! If the above is public, could you change the domain name to ‘example.com’? Thanks…
Our network techs use the same domain name for both internal & external domains - example.com. The external domain is hosted by a 3rd party provider, while the internal domains are hosted in-house in Active Directory. I have a number of internal Linux web servers that require SSL certs, & the team doesn’t want to act on an internal CA. To get around this, I asked for a subdomain be created ‘intranet.example.com’ both internally & externally, built a server ‘encrypt.intranet.example.com’, got an external IP assigned, added a virtual host (‘le.intranet.example.com’) to it, & adding the virtual host to my /etc/hosts file with the same IP as it’s parent, had a certificate deployed. Issue : I have other servers on intranet.example.com that I would now like to copy the SSL cert to (& every 90 days update them with the cert updated on this outward facing server). Is this a/the right way to do it & how should I proceed?


#4

Hi,

if you are using active directory, why not use an internal ca. Active directory can easily push CA to client machine.

Anyway, I think you can use Rsync( for Linux) if you wish to use public ca. Try search in this forum and you probably can find others doing this way.(not sure what windows can use)

Thank you.


#5

I will search thru the forum, confirm what needs to be rsync’d, rsync it, & if I still experience issues, I’ll be back. Very appreciative of your fast response


#6

Back from vacation - allow me to start from the beginning
Environment :
External domain = example.com. Hosted externally
Internal domain = example.com. Hosted internally
Caveat : I am NOT the network admin - I must work with what I am given. And my esteemed colleagues do not know how to push CAs & do not want to research

What I want : Attach ssl certs to internal (non-Internet facing) apache web servers;
foo.local.example.com, bar.local.example.com

What I did :

  1. Had our AD admins create local.example.com on our internal domain
  2. Built the web server encrypt.local.example.com
  3. Built a virtual host www.local.houwire.com on the encrypt server
  4. Asked our external DNS provider to NAT the internal IP so as to make it accessible to Let’s Encrypt

What I’ve got : Let’s Encrypt ‘successfully enabled https://local.example.com
ssllabs.com Report : local.example.com Certificate name mismatch

MORE :

(PuppetMaster :slight_smile: cd /etc/puppet/modules/common/templates
vi httpd_conf.erb

IncludeOptional conf.d/.conf
<% if @hostname == ‘encrypt’ then -%>
IncludeOptional sites-enabled/
.conf
<% end -%>

vi hosts.erb
10.1.1.200 encrypt.local.example.com encrypt
<% if @hostname == ‘encrypt’ then -%>
10.1.1.200 www.local.example.com www
<% end -%>

LETS ENCRYPT

Pre-requisites

Our public DNS server must allow traffic to the encrypt server over port 80 & 443; which means it needs a public IP

Install

/bin/yum -y install mod_ssl python-certbot-apache

Virtual Host

/bin/mkdir -p /var/www/local.example.com/public_html
/bin/chown -R $USER:$USER /var/www/local.example.com/public_html

/bin/cat > /var/www/local.example.com/public_html/index.html <<!

... ... !

sites subdirectories not necessary, but …

/bin/mkdir -p /etc/httpd/sites-available
/bin/mkdir -p /etc/httpd/sites-enabled

/bin/cat > /etc/httpd/sites-available/local.example.com.conf <<!
<VirtualHost *:80>
ServerName www.local.example.com
DocumentRoot /var/www/local.example.com/public_html

!

ln -s /etc/httpd/sites-available/local.example.com.conf /etc/httpd/sites-enabled/local.example.com.conf

Registration

sudo certbot --apache -d local.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for local.example.com
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/httpd/sites-available/local.example.com-le-ssl.conf
Deploying Certificate for local.example.com to VirtualHost /etc/httpd/sites-available/local.example.com-le-ssl.conf
Enabling site /etc/httpd/sites-available/local.example.com-le-ssl.conf by adding Include to root configuration


Congratulations! You have successfully enabled https://local.example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=local.example.com


#7

You successfully issued a certificate for your domain on March 13 (it’s public in Certificate Transparency), but that certificate isn’t being served by your server. Instead, your server is serving a self-signed certificate.

Does this work from inside your network, or not at all? If not at all, you might have a _default_ virtual host with the old self-signed certificate or something that’s taking priority over the Certbot-installed one.

There’s also the DNS challenge, where you can get certificates by changing DNS records—this is often a good option for sites that have problems allowing inbound connections. But since your certificate was successfully issued, that’s not the particular problem that you’re facing right now.


#8

I am very appreciative of the fast response, as well as ashamed of my public display of ignorance …I’ve been out of networking too long

If I understood you correctly the public-facing server did it’s job (domain cert issued). Next step is to pass that on to its internal counterparts. What I’m getting is the following :
foo.local.example.com uses an invalid security certificate. The certificate is only valid for local.example.com

Error code: SSL_ERROR_BAD_CERT_DOMAIN

Changes I made:
httpd.conf : ServerName foo.local.example.com:80
ssl.conf : ServerName foo.local.example.com:443
SSLCertificateFile /etc/letsencrypt/live/local.example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/local.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/local.example.com/chain.pem


#9

That’s correct because you only asked for it to be valid for local.example.com when you obtained it:


#10

Perhaps because of the terms used I’ve been looking at this wrong, because traditionally the certs are issued per server. What I would like to see are valid certs on *.local.example.com, which is why i did the -d (domain?). How would I phrase that, as a wildcard (-d *.local.example.com)


#11

-d is the way of specifying a subject name in Certbot and the exact name you requested after the -d goes into the certificate request.

Wildcards do contain the *. at the beginning but one thing that’s worth knowing is that (by PKI standards) the wildcard doesn’t apply to the base domain at all. So if you get a certificate that covers *.local.example.com, it doesn’t cover local.example.com; you need to explicitly include both if you want to cover the base domain too.

-d "*.local.example.com" is the right way to request a wildcard but if you want a wildcard certificate, you should know that Let’s Encrypt only began offering them about a month ago and by Let’s Encrypt policy they’re only available via DNS challenges (proving control by creating a specified TXT record in your DNS zone). So if you need a wildcard certificate, you’ll need to figure out how to do the DNS challenge method rather than the inbound HTTP challenge method. If not, you’ll get an error that means that the certificate authority insisted on the DNS authentication method but that your client failed to complete it. Again, this distinction is a matter of Let’s Encrypt’s issuance policy.


#12

Let me see if I can get our external DNS provider to do that for us. Thank you very much for your help


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.