HAProxy-Apache with certbot and encrypt connection


#1

Hi,
I have haproxy_server and apache_servers in different datacenters, what is the best way to have encrypt connection between them?

It’s working with the following configuration:
Datacenter-A => Haproxy + Certbot (fullchain.pem + example.com.pem)
backend haproxy.cfg
server <IP_Datacenter-B>:80 check
server <IP_Datacenter-C>:80 check
Datacenter-B => Apache
Datacenter-C => Apache

But how encrypting the connection between Haproxy and Apache, because it’s everything connected by public internet?

If I copy the (fullchain.pem + example.com.pem) from Datacenter-A to Datacenter-B and Datacenter-C with the following configuration:
Datacenter-A => Haproxy + Cetbot (fullchain.pem + example.com.pem)
backend haproxy.cfg
server <IP_Datacenter-B>:430 check ssl verify none
server <IP_Datacenter-C>:430 check ssl verify none
Datacenter-B => Apache (fullchain.pem + example.com.pem)
Datacenter-C => Apache (fullchain.pem + example.com.pem)

This gave the error: SSL_ERROR_BAD_CERT_DOMAIN
What I’m doing wrong?


#2

Olá @pessoal2016,

You probably got this error because Let’s Encrypt certificates don’t cover IP addresses, only domain names. Therefore a client verifying the certificate can’t tell whether the certificate is “right” when it was told to access your service by IP address. If you can get the client to access the service by DNS domain name instead of IP address, it should be able to confirm the certificate’s validity.


#3

Thank you schoen
I will deploy a Bind server to give a dns name to all servers and then I will try again.


#4

If the servers don’t have a DNS name already, I’m confused about how you got a Let’s Encrypt certificate because the Let’s Encrypt certificate must apply to some particular DNS name. :slight_smile:


#5

I have a example.com name direct to my haproxy_server, but my apache_servers are working only IP’s


#6

OK, after you give them names you’ll probably need to get additional certificates that refer specifically to those names, otherwise there will still be a mismatch error. The certificate doesn’t really say “this service is secure”, but rather “this encryption key is safe to use with this list of domain names”.


#7

i’m a little confused with this because I only have on domain over several web servers but I will do what you said, and then I let you know if everything is ok.
Thank you schoen


#8

If you have server1.example.com and server2.example.com and server1 wants to connect to server2 with a secure connection, then server2.example.com needs to be mentioned explicitly in the certificate that’s installed on server2. If the certificate is just for example.com, it won’t work to authenticate server2.example.com.


#9

How mentioned explicitly in the certificate the server1.example.com and the server2.example.com?


#10

For example certbot -d server1.example.com and certbot -d server2.example.com (depending on how you prove control over these names, these commands might be run on the servers themselves).


#11

I think this don’t solve my problem of haproxy load balance, because I only have one domain, and my problem is having encrypting data between haproxy and the several backend webservers.

I think we need have the same certificate in all machines, or this will not work as one site, because for the client he must see always www.example.com


#12

The proxy doesn’t have to show the end user what certificates or names were used in the backend connection, just as when you used the IP address, that information probably isn’t presented to the end user.


#13

Ok schoen, you help me a lot, I will try that


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.