Hi, i need help
My domain is (example): mydomain.eu and it’s syncronize my dinamic ip with np-ip
In house, i have a web server listening port 80/443 and i get a new wildacard certificate with certbot and deploy with dns record (txt). I think that’s enough but no…
I need a certificate for another server (example mydomain.eu, cloud.mydomain.eu,mail.mydomain.eu) and i set up cname on my provider panel.
Also i set up a cloud server with nextcloud, and i want get a certificate for this server. I get and error beacuse certbot want 80 anf 443 ports, but my Ncserver listen 81/1443
In future, i would create a internal web mail, that listen also another port
Internal setup
Example:
webserver - nginx - ip xxx.xxx.xxx.50 --> port 80/443
cloud - apache - ip xxx.xxx.xxx.51 -> port 81/1443
mail - nginx/apache - ip xxx.xxx.xxx.52 -> port 82/2443
What is the best pratice for get certificate for ech server ( or wildcard certificate )?
I would be good activate cron for renew certifiate without deploy txt record every 3 months…
You show the cert need for three separate systems:
But then show two [NGINX] configs (that are both using port 80) and no Apache config.
That combined with:
So, I can only assume that you intend on using NGINX to obtain the certs automatically.
I do think that can be done.
In the simplest solution:
You will need an Internet DNS to resolve all three names to an IP(s) that can reach that system.
You will need to forward all port 80 connections to the "primary" web service.
[you have Apache and NGINX - pick one to be main/proxy - I would choose NGINX]
You should handle all the challenge requests within one single web server.
[this will reduce any troubleshooting down the road]
they may require custom excludes from redirection (preferred)
You may need to manually update the secure vhost configs (within both web servers) to use the obtained certs (simplest via --certony)
Depending on the number of real Internet IPs available, you may need to proxy all requests (http & https) through one system (the main one).
You may need to include a custom script to run when any cert is renewed to restart/reload any affected system (Apache/NGINX/email).
And if I missed anything:
You may need to return here to ask additional question(s).
[which we should be able to answer]
You will need to forward all port 80 connections to the “primary” web service.
R: I configured my firewall using port forwarding and open port 80/443 on xxx.xxx.xxx.50 webserver.
[you have Apache and NGINX - pick one to be main/proxy - I would choose NGINX]
R: I choose nginx for webserver
But,so, if i can’t use certbot for cloud and mail that aren’t listen in 80/443, how is the procedure to copy certfificate from webserver to cloud and mail ? I read that isn’t safe…
That depends.
Are they independent/separate systems or are those software running on the same system?
If separate, then you need to choose between:
copy files around
run separate ACME clients (one on each)
This will require using the first web server as a proxy to the separate names.
So that they can handle their own names and challenge requests.
[covered on #5 above]
If same, then you only need to get the cert once.
And all software (on that same system) can use the new cert.
thanks for your suggest. webserver, cloud and email are in 3 different host (are Vm with debian) and not in same server. How can i copy certificate files automatically? I read on forum that it’s not safe export private key.
run separate ACME clients (one on each)
This will require using the first web server as a proxy to the separate names.
So that they can handle their own names and challenge requests.
[covered on #5 above]
so i need to run 3 challenge ( and 3 acme challenge ) ? like this? :
certbot --email myemail@gmail.com --agree-tos --manual-public-ip-logging-ok certonly --manual --preferred-challenges dns -d ‘mydomain.eu’ --> for webserver xxx.50
certbot --email myemail@gmail.com --agree-tos --manual-public-ip-logging-ok certonly --manual --preferred-challenges dns -d ‘cloud.mydomain.eu’ -> for cloud server xxx.51
certbot --email myemail@gmail.com --agree-tos --manual-public-ip-logging-ok certonly --manual --preferred-challenges dns -d ‘mail.mydomain.eu’ -> for mail server xxx.52
It’s correct use nginx conf on web server like this?
The three certbots need to run on the three systems (one for each).
The main server needs to proxy the two other names to their respective servers.
So that each system can get certs (somewhat) independently from the others.