Do I need a certificate for front and backend?

Ubuntu 20.04
Nginx

I obtained a certificate with certbot like sudo certbot --nginx -d pvapp-2021.umwelt-campus.de.
And included the paths to the certificate to my two nginx config files (one for the frontend and one as reverse proxy for node) like:

 ssl_certificate /etc/letsencrypt/live/pvapp-2021.umwelt-campus.de/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/pvapp-2021.umwelt-campus.de/privkey.pem;

 include /etc/letsencrypt/options-ssl-nginx.conf;

When now making requests to my backend (e.g. logging in) I get the error:
Failed to load resource: net::ERR_CERT_DATE_INVALID tho the certificate definitely is valid.

Do I need a extra certificate for my backend? If yes, how would I do this?
What else could cause the error?

Appreciate all help.

Running sudo certbot renew --dry-run failed too.

Output of sudo certbot certificates

  Found the following certs:
      Certificate Name: pvapp-2021.umwelt-campus.de
      Domains: pvapp-2021.umwelt-campus.de
      Expiry Date: 2021-06-06 12:54:49+00:00 (VALID: 89 days)
      Certificate Path: /etc/letsencrypt/live/pvapp-2021.umwelt-campus.de/fullchain.pem
      Private Key Path: /etc/letsencrypt/live/pvapp-2021.umwelt-campus.de/privkey.pem

My domain is:
https://pvapp-2021.umwelt-campus.de

My web server is:
Nginx

The operating system my web server runs on is (include version):
Ubuntu 20.04

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

1 Like

It looks like this is resolved. Perhaps your browser is caching the old certificate?

1 Like

@jvanasco I cleared the cach multiple times. Also it's the first certificate for this app. So this might not be a problem. And do I need multiple certificates there?

1 Like

The site "pvapp-2021.umwelt-campus.de " is currently serving the valid certificate, so if you are having issues - I do not know why. Sometimes web browsers cache the old certificates and cause issues. Sometimes nginx does not restart properly, so Certbot would see the new certificate but nginx does not use it yet - but in that case, the valid certificate would not be served to the global internet like it is now.

You only need one certificate per domain. If your backend is on a different domain, it will need it's own certificate.

There could also be issues from your application's design. The domain you listed above, however, is successfully terminating SSL with a valid LetsEncrypt R3 certificate.

1 Like

All right, good to know that I just need one certificate. I run the same app with self-signhed certificates (there I use one cert for the front- and one for the backend tho) on a dev Server and it's running. So the problem could rather be related to letsencrypt.

If I can provide more information, just tell me. I need this to be solved...

What exactly is your problem?

https://www.ssllabs.com/analyze.html?d=pvapp-2021.umwelt-campus.de

Shows the domain is successfully serving the valid LetsEncrypt certificate.

1 Like

I know it's serving the cert. But that's just the frontend. When making calls to my backend I get the error ERR_CERT_DATE_INVALID.

That's my nginx conf for the backend. It's a reverse proxy to the node app. I just can't make backend calls cause of this error.

server {
     listen       443 ssl;
     listen       [::]:443 ssl http2;
     server_name  pvapp-2021.umwelt-campus.de;

     # point to ssl certificate path
     ssl_certificate /etc/letsencrypt/live/pvapp-2021.umwelt-campus.de/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/pvapp-2021.umwelt-campus.de/privkey.pem; # managed by Certbot

     include /etc/letsencrypt/options-ssl-nginx.conf;

     root /var/www/client/pvapp-client/dist;
     error_page 404 =200 /index.html;

     location /backend {
          proxy_pass http://localhost:60702;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection 'upgrade';
          proxy_set_header Host $host;
          proxy_cache_bypass $http_upgrade;
          proxy_ssl_verify off;
     }
}
1 Like

The error could either be generated by your proxied appserver or nginx, and has to do with the proxy_pass configuration and the appserver's configuration. That is well beyond the scope of help you'llget here..

It's impossible to tell what your "backend" is or why your chose those directives in the proxypass. I'm guessing you're trying to do websockets with nginx though (the benefits of being an nginx early adopter is being able to guess this stuff!).

If that's the case, I would try removing this directive, and have the appserver expect http traffic.

If you want the appserver to keep https traffic, then you'll have to do a bit more configuration of the proxypass and appserver settings, and ensuring they're all processing the certs correctly. You'll need to look to an nginx forum or whatever framework you built your appserver with.

1 Like

I removed that line. But still get the same error sadly. The backend server already expects http.
But all right, I'll ask on an nginx forum then. Thanks so far.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.