Hi,
I have haproxy_server and apache_servers in different datacenters, what is the best way to have encrypt connection between them?
It’s working with the following configuration:
Datacenter-A => Haproxy + Certbot (fullchain.pem + example.com.pem)
backend haproxy.cfg
server <IP_Datacenter-B>:80 check
server <IP_Datacenter-C>:80 check
Datacenter-B => Apache
Datacenter-C => Apache
But how encrypting the connection between Haproxy and Apache, because it’s everything connected by public internet?
If I copy the (fullchain.pem + example.com.pem) from Datacenter-A to Datacenter-B and Datacenter-C with the following configuration:
Datacenter-A => Haproxy + Cetbot (fullchain.pem + example.com.pem)
backend haproxy.cfg
server <IP_Datacenter-B>:430 check ssl verify none
server <IP_Datacenter-C>:430 check ssl verify none
Datacenter-B => Apache (fullchain.pem + example.com.pem)
Datacenter-C => Apache (fullchain.pem + example.com.pem)
This gave the error: SSL_ERROR_BAD_CERT_DOMAIN
What I’m doing wrong?
You probably got this error because Let’s Encrypt certificates don’t cover IP addresses, only domain names. Therefore a client verifying the certificate can’t tell whether the certificate is “right” when it was told to access your service by IP address. If you can get the client to access the service by DNS domain name instead of IP address, it should be able to confirm the certificate’s validity.
If the servers don’t have a DNS name already, I’m confused about how you got a Let’s Encrypt certificate because the Let’s Encrypt certificate must apply to some particular DNS name.
OK, after you give them names you’ll probably need to get additional certificates that refer specifically to those names, otherwise there will still be a mismatch error. The certificate doesn’t really say “this service is secure”, but rather “this encryption key is safe to use with this list of domain names”.
i’m a little confused with this because I only have on domain over several web servers but I will do what you said, and then I let you know if everything is ok.
Thank you schoen
If you have server1.example.com and server2.example.com and server1 wants to connect to server2 with a secure connection, then server2.example.com needs to be mentioned explicitly in the certificate that’s installed on server2. If the certificate is just for example.com, it won’t work to authenticate server2.example.com.
For example certbot -d server1.example.com and certbot -d server2.example.com (depending on how you prove control over these names, these commands might be run on the servers themselves).
I think this don’t solve my problem of haproxy load balance, because I only have one domain, and my problem is having encrypting data between haproxy and the several backend webservers.
I think we need have the same certificate in all machines, or this will not work as one site, because for the client he must see always www.example.com
The proxy doesn’t have to show the end user what certificates or names were used in the backend connection, just as when you used the IP address, that information probably isn’t presented to the end user.
