How can I create my own certificate for the backend as well?

Marica95 · June 12, 2023, 8:03am

Hi everyone,

I have two docker containers one for tomcat and one for the backend application on the same physical server.

I installed nginx on debian and configured the .conf file to sites-available and links to enabled.

The configuration file before applying certbot is as follows:

server
     {
         server_name www.example.com;
         location /
         {
         proxy_pass http://x.x.x.x:4200;
         proxy_http_version 1.1;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-ForwardedProto $scheme;
         proxy_set_header X-Forwarded-Port $server_port;
         }
  server
     {
        location /.well-known/acme-challenge/
         {
           proxy_pass http://x.x.x.x:9090/bc-pr;

           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-Port $server_port;
           proxy_set_header X-ForwardedProto $scheme;
         }


     }

After I apply certbot and try to access the https link credentials, this error appears:

Http failure response for http://y.y.y.y.:9090/bc-pr/authentication/login: 0 Unknown Error

That is, it won't let me log in anymore

I read here on the site that certbot only recognizes the frontend and you need to enter a path so that the backend (in my case on the same server) also has the certificate

What did I do wrong in the configuration?

_az · June 12, 2023, 8:11am

Where does that error message appear? That doesn't look like an nginx error message.

Marica95 · June 12, 2023, 9:14am

After I request the certificate with certbot when from the browser I access https://www.example.com the main screen appears but when I go to log in this error appears:

Http failure response for http://y.y.y.y.:9090/bc-pr/authentication/login: 0 Unknown Error

Without the certificate, therefore before running the certbot, in http it did not give any errors.

At this link Using let's encrypt in the backend server - #3 by _az I read that to configure the certificate to the backend you need to add location /.well-known/ acme-challenge/ {, because certbot recognizes only for one certificate and here it is also necessary to assign the certificate to the backend in my case to proxy_pass http://x.x.x.x:9090/bc-pr;

So it's a certificate error i.e. configuring nginx for certbot and I don't know how to do it I tried with that link but it doesn't work.

_az · June 12, 2023, 9:21am

That post is about forwarding the HTTP challenge request from a frontend server to a backend server. i.e. If you wanted to run Certbot on x.x.x.x (which I assume is a separate server to the one where nginx is running) in order to obtain a certificate, that would enable you to do so.

The error message you are seeing appears to be coming from your web application. I can't comment on that because I don't know what the application is, how it works, or what it is expecting to happen.

To be honest, I do not really understand what you are trying to achieve. It might help to explain clearly and in detail, the architecture of your setup, what web applications you are trying to run, and how you want the SSL certificate setup to look.

Marica95 · June 12, 2023, 9:27am

When I access http with the credentials I can log in and no error is returned.

When I apply the certbot it gives me that error and won't let me log in

The programmer tells me that it is an application made on spring java and that requires access in https.

I'm interested in the backend in fact I can't understand the backend works in http and it doesn't work when you apply the https certificate.

This thing seems strange to me, I don't want the programmer to be mistaken and that they must do something to the application.

Can you confirm that in your opinion how I configured nginx is good for the frontend and backend? Your obvious opinion

orangepizza · June 12, 2023, 9:28am

http and https is different thing so you need to fix link it uses

_az · June 12, 2023, 9:30am

Proxying applications that expect HTTPS to be used can be complicated. It depends on the application.

Sometimes, it is enough to just forward a X-Forwarded-Proto header while still proxying in insecure HTTP, and the backend application will be happy.

Other times, you will need to actually use HTTPS on the backend. In that case, you need to set up Tomcat (and the other application) with SSL certificates, and change:

and

to be HTTPS URLs, on the HTTPS ports of the backends.

It depends on the application.

Marica95 · June 12, 2023, 9:44am

So we have two docker containers one which is front end and the other back end. It may be that one tomcat has been configured for https and the other is not, would you like to tell me this?

danb35 · June 12, 2023, 9:51am

If the frontend and the backend are running on the same hardware, and the backend isn't exposed to the public, I'd question the purpose of using https for the backend at all, let alone trying to use a public cert (which will still give certificate errors, because you'll be connecting to the backend via IP address, and the cert covers FQDNs). What's the point here?

Marica95 · June 12, 2023, 10:03am

Yes they are on the same machine but they are on docker container. So it's not possible to configure the backend on the same machine as the front end even if they are on different docker containers?

danb35 · June 12, 2023, 10:08am

How did you conclude this from what I wrote? Of course it's possible to do that; you've already done it. What I'm saying is that trying to configure https for the backend is just a waste of your time.

Marica95 · June 12, 2023, 11:06am

Yes forgive me I know I did it because I thought I could. So the backend with https on the same hardware is not possible I understand this I'm not saying the opposite I'm asking for confirmation as I'm not an expert

danb35 · June 12, 2023, 11:50am

That isn't the case either, but I just don't see any reason to do it. But if you do, you'll almost certainly end up with certificate validation failures on the frontend, so you'll need to configure it to ignore those when communicating with the backend.

rg305 · June 12, 2023, 2:27pm

That doesn't add up.
I think it might go better as:
proxy_pass http://x.x.x.x:9090/bc-pr/.well-known/acme-challenge/

But I'm in agreement with @danb35: Why do you even need a cert in a container that can only be reached by that same system?

SamLowryMOI · June 12, 2023, 4:46pm

Marica95:

server
     {
         server_name www.example.com;
         location /
         {
         proxy_pass http://x.x.x.x:4200;
         proxy_http_version 1.1;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-ForwardedProto $scheme;
         proxy_set_header X-Forwarded-Port $server_port;
         }
  server
     {
        location /.well-known/acme-challenge/
         {
           proxy_pass http://x.x.x.x:9090/bc-pr;

           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-Port $server_port;
           proxy_set_header X-ForwardedProto $scheme;
         }


     }

If I format this to be readable, I'm missing a '}'.

server
{
    server_name www.example.com;

    location /
    {
        proxy_pass http://x.x.x.x:4200;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-ForwardedProto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
    }
    server
    {
        location /.well-known/acme-challenge/
        {
            proxy_pass http://x.x.x.x:9090/bc-pr;

            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_set_header X-ForwardedProto $scheme;
        }
    }

And, probably my fault, I don't understand how what you wrote is supposed to proxy requests to the frontend to one Docker container and requests to the backend to another in nginx.

All I see is that requests to www.example.com should go to x.x.x.x:4200 and requests to http://www.example.com/.well-known/acme-challenge/ should go to http://x.x.x.x:9090/bc -pr, i.e. to the same server(container), but to different ports. (And even that is not implemented correctly in my opinion.)

But if I understood you correctly, you want a certificate for internal use for the backend that can only be reached internally. But either the backend can be reached under a public domain for which the certificate is issued, or the internal backend is addressed internally via a different domain/IP address and then the certificate is not valid for it.

But as I said, I don't really understand all of this, at least with the information provided.

rg305 · June 12, 2023, 5:08pm

I agree, the posted file content appears to be missing an "}" at the end of the first server block.

rg305 · June 12, 2023, 5:10pm

And to answer the topic question:
How can I create my own certificate for the backend as well?
Since the cert would already be within the same system...
Just copy it from one [container] to the other [container].

system · July 12, 2023, 5:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.