Generate and Update Certificate with 2 or more internal Server

Spa · January 19, 2020, 4:25pm

Hi, i need help
My domain is (example): mydomain.eu and it’s syncronize my dinamic ip with np-ip
In house, i have a web server listening port 80/443 and i get a new wildacard certificate with certbot and deploy with dns record (txt). I think that’s enough but no…
I need a certificate for another server (example mydomain.eu, cloud.mydomain.eu,mail.mydomain.eu) and i set up cname on my provider panel.

Also i set up a cloud server with nextcloud, and i want get a certificate for this server. I get and error beacuse certbot want 80 anf 443 ports, but my Ncserver listen 81/1443
In future, i would create a internal web mail, that listen also another port

Internal setup

Example:
webserver - nginx - ip xxx.xxx.xxx.50 --> port 80/443
cloud - apache - ip xxx.xxx.xxx.51 -> port 81/1443
mail - nginx/apache - ip xxx.xxx.xxx.52 -> port 82/2443

Nginx WebServer Configuration:

ssl_certificate /etc/letsencrypt/live/mydomain.eu/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.eu/privkey.pem;

server {
listen 80;
listen [::]:80;
server_name *.mydomain.eu;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name *.mydomain.eu;
root /var/www/html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}

server {
listen 80;
listen [::]:80;
server_name cloud.mydomain.eu;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name cloud.mydomain.eu;

location / {
proxy_pass http://xxx.xxx.xxx.51:1443;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}

What is the best pratice for get certificate for ech server ( or wildcard certificate )?
I would be good activate cron for renew certifiate without deploy txt record every 3 months…

Thanks Spa

rg305 · January 19, 2020, 9:56pm

You show the cert need for three separate systems:

But then show two [NGINX] configs (that are both using port 80) and no Apache config.
That combined with:

So, I can only assume that you intend on using NGINX to obtain the certs automatically.

I do think that can be done.

In the simplest solution:

You will need an Internet DNS to resolve all three names to an IP(s) that can reach that system.
You will need to forward all port 80 connections to the "primary" web service.
[you have Apache and NGINX - pick one to be main/proxy - I would choose NGINX]
You should handle all the challenge requests within one single web server.
[this will reduce any troubleshooting down the road]
they may require custom excludes from redirection (preferred)
You may need to manually update the secure vhost configs (within both web servers) to use the obtained certs (simplest via --certony)
Depending on the number of real Internet IPs available, you may need to proxy all requests (http & https) through one system (the main one).
You may need to include a custom script to run when any cert is renewed to restart/reload any affected system (Apache/NGINX/email).

And if I missed anything:
You may need to return here to ask additional question(s).
[which we should be able to answer]

Spa · January 20, 2020, 6:35pm

Thanks for your answer.

In the simplest solution:

1. You will need an Internet DNS to resolve all three names to an IP(s) that can reach that system.

R: I’ve bought a domain with aruba hosting. I’ve created a point to my web server with cname “www” because i don’t have static ip address. Also i created cloud and mail cname pointing like suggest in this link https://daniel.haxx.se/blog/2012/08/20/fixed-name-to-dynamic-ip-with-cname/

You will need to forward all port 80 connections to the “primary” web service.
R: I configured my firewall using port forwarding and open port 80/443 on xxx.xxx.xxx.50 webserver.
[you have Apache and NGINX - pick one to be main/proxy - I would choose NGINX]
R: I choose nginx for webserver
You should handle all the challenge requests within one single web server.
R: I get a wildcard certificate with certbot using this guide https://turbolab.it/apache-server-web-1212/guida-ottenere-certificato-https-wildcard-gratis-let-s-encrypt-.miosito.com-1690

But,so, if i can’t use certbot for cloud and mail that aren’t listen in 80/443, how is the procedure to copy certfificate from webserver to cloud and mail ? I read that isn’t safe…

rg305 · January 20, 2020, 7:02pm

That depends.
Are they independent/separate systems or are those software running on the same system?

If separate, then you need to choose between:

copy files around
run separate ACME clients (one on each)
This will require using the first web server as a proxy to the separate names.
So that they can handle their own names and challenge requests.
[covered on #5 above]

If same, then you only need to get the cert once.
And all software (on that same system) can use the new cert.

Spa · January 20, 2020, 7:23pm

thanks for your suggest. webserver, cloud and email are in 3 different host (are Vm with debian) and not in same server. How can i copy certificate files automatically? I read on forum that it’s not safe export private key.

rg305 · January 20, 2020, 7:25pm

Then choose option 2:

run separate ACME clients (one on each)
This will require using the first web server as a proxy to the separate names.
So that they can handle their own names and challenge requests.
[covered on #5 above]

Spa · January 20, 2020, 7:50pm

so i need to run 3 challenge ( and 3 acme challenge ) ? like this? :

certbot --email myemail@gmail.com --agree-tos --manual-public-ip-logging-ok certonly --manual --preferred-challenges dns -d ‘mydomain.eu’ --> for webserver xxx.50

certbot --email myemail@gmail.com --agree-tos --manual-public-ip-logging-ok certonly --manual --preferred-challenges dns -d ‘cloud.mydomain.eu’ -> for cloud server xxx.51

certbot --email myemail@gmail.com --agree-tos --manual-public-ip-logging-ok certonly --manual --preferred-challenges dns -d ‘mail.mydomain.eu’ -> for mail server xxx.52

It’s correct use nginx conf on web server like this?

ssl_certificate /etc/letsencrypt/live/mydomain.eu/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.eu/privkey.pem;

server {
listen 80;
listen [::]:80;
server_name *.mydomain.eu;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name *.mydomain.eu;
root /var/www/html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}

server {
listen 80;
listen [::]:80;
server_name cloud.mydomain.eu;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name cloud.mydomain.eu;

location / {
proxy_pass http://xxx.xxx.xxx.51:1443;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;

rg305 · January 20, 2020, 7:59pm

The three certbots need to run on the three systems (one for each).
The main server needs to proxy the two other names to their respective servers.
So that each system can get certs (somewhat) independently from the others.

system · February 19, 2020, 7:59pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.