How is an internet accessible LAN server encrypted?

Help
1

Please fill out the fields below so we can help you better.

My domain is: allenintech.com

I ran this command: I tried ./certbot-auto certonly --standalone --email eatobiasa@gmail.com -d allenintech.com -d www.allenintech.com. A certificate was granted for allenintech.com. However I only want a certificate for the server, accessible from the internet but on the LAN. Other web sites on allenintech.com do not need encryption.

I also tried to manual ? installation on the LAN server which of course failed since the challenges were not successful.

It produced this output: The certificate on allenintech.com was successful. I donā€™t think it is needed for what I am trying to accomplish. The certificate on the LAN server failed.

My operating system is (include version): Linux

My web server is (include version):Fedora 19 and Ubuntu 16

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes):

Iā€™m using a control panel to manage my site (no)

-------------------------- |

Additional information:

I have full control of web server, webserverA.com. WebserverA.com has an real external static ip address, 1.2.3.4

WebserverA.com host several virtual hosts. Only one of the virtual hosts accesses an application/web server on the LAN, serveronLAN. ServeronLAN is accessed via reverse proxy from virtual host container <"VirtualHost *:8080>.

Pointing browser to different websites serves them perfectly. Pointing the browser to webserverA.com:8080 serves the application/web server on the LAN via reverse proxy perfectly.

<ā€˜VirtualHost *:80>
DocumentRoot "/document/root/files/"
ServerName www.webserverA.com
:
<ā€™/VirtualHost>

<ā€˜VirtualHost *:80>
DocumentRoot "/document/root/files/"
ServerName www.webserverZ.com
:
<ā€™/VirtualHost>

<ā€˜VirtualHost *:8080>
DocumentRoot "/document/root/files/"
ServerName www.webserverA.com
ServerAlias webserverA.com
ProxyPass / http://serveronLAN.webserverA.com/
ProxyPassReverse / http://serveronLAN.webserverA.com/
LogLevel debug
<ā€™/VirtualHost>

WebserverA.com is Fedora 19 running Apache 2.4.
ServeronLan is Ubuntu 16 running Apache 2.4. The configuration for serveronLAN is:

<ā€˜VirtualHost *:80>
ServerName "serveronLAN.webserverA.com"
ServerAlias ā€œserveronLAN.webserverA.comā€
<ā€˜Directory ā€œ/document/root/files/ā€>
Options FollowSymLinks
AllowOverride All
Order allow,deny
allow from all
<ā€™/Directory>
<ā€™/VirtualHost>

Encryption is only needed on serveronLAN.

Question: How is a letsencrypt certificate obtained for serveronLAN, since serveronLAN is accessible from the internet albeit webserverA.com:8080 via reverse proxy?

Resources are very limited. A DNS A record is not permissible. Also, not permissible is dynDNS or moving the application from serveronLAN to webserverA.com. ServeronLAN must remain behind the firewall. An additional real external static ip for serveronLAN is not permissible.

Thanks!

2

Hi @Anthon,

Let's Encrypt's verification methods require that the name that you request a certificate for actually exist in DNS (or if using the DNS validation method, a specific kind of text record must refer to it) and be publicly visible at the time of verification.

I am a bit confused by what you said above, but to try to summarize what is and isn't possible:

  • If the name that you want a certificate for already exists in DNS and has an A (or CNAME) record, but the public IP address corresponds to a proxy, you can complete an HTTP-01 challenge in various ways, as long as the proxy is able to send the challenge verification request to the actual server that possesses the private key, or as long as you manually post the requested file in the right place on the proxy server's HTTP listener.

  • If the name that you want a certificate for does not exist in the DNS as an A or CNAME record, but you have the ability to update your DNS zone, you can use the DNS challenge and temporarily create a verification record in response to the challenge. (The verification record is a text record for a related name, proving that you can update the DNS zone; it's not an A record for the name itself.) In Certbot this currently only works in manual mode, but the bash script clients have especially mature support for it.

  • If you don't want the name to be publicly disclosed at all (e.g. in Certificate Transparency!) or to be mentioned at least ephemerally in DNS, you cannot get a certificate from Let's Encrypt.
3

Thanks for the reply. My previous question is obtuse. Sorry. Let me start over.
How do I check that my certificates are in place. I followed the procedures without any error message. However, I am not able to determine how to secure my sites or if the certs are proper.

Thanks!

4

Hi @Anthon, can you go to your site in a browser using https:// instead of http://? Do you see an error message?

If thereā€™s no error when using https://, everything should be fine. You can get more details about the certificate in that case from a pull-down menu in your browser after navigating to the server in question (for example, in Firefox, you can look at Tools / Page Info / Security / View Certificate).

5

The error message is:
An error occurred during a connection to www.allenintech.com. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

I have been googling for days but have not understood how to resolve the issue.

Unsecure works fine.

6

@Anthon, this error usually occurs when a site is serving HTTP instead of HTTPS on a particular port (by default, port 443). So for example if you have your web server listening on port 443 but have not enabled HTTPS on that port, you would see this error.

If you go to http://example.com:443/ (instead of https://example.com:443/) and see no error, it will confirm that my explanation for the problem is right.

7

Of course, your explanation is right. Inadvertently while trouble shooting ā€œSSLEngine Onā€ had been commented out. Now https is on for port 443.

Now, pointing the browser to https:// there is a white ! inside an orange triangle positioned in front of the lock. So not all of the content is secure?

8

Probably right ā€“ if you click on it it should offer to tell you more about what the problem is.

In Firefox you can do Tools / Page Info / Media to see a list of subresources with their respective URLs (although there are certain kinds of subresources that will be omitted but can still cause mixed content errors ā€“ I think including some CSS stylesheets and Javascript scripts).

9

OK. Thanks @schoen. Iā€™ll check on that later. Thanks for your help. Have a good evening!

10

OK ā€¦ The offending sub resources were images with absolute paths. The the absolute paths were changed to relative paths. Thanks @schoen

11

I have been reading about LEā€™s DNS challenge.

An overview of my system is this:
The applications servers behind the firewall are reachable through reverse proxy, but do not have A records. I also run my own DNS.

I have adequately encrypted the domain (the front end) but would like to deliver encrypted data from the backend application servers.

Will LEā€™s DNS challenge allow for a CA for the backend servers since I run my own DNS?

Thanks!

12

@Anthon, yes, that should be possible.

13

Iā€™ll check on that. Thanks!

14

Having check that. Is this what I need. The letsencrypt-manual-hook?

@schoen, I already have a domain CA for my domain. The DNS challenge will obtain another certificate. Is the certificate obtained by the DNS challenge to be copied to the backend application server?

15

@Anthon, there are several different clients that now support the DNS challenge in some way. Another option would be acme.sh.

Thatā€™s right: after you get the certificate you would copy it onto the server that youā€™re going to access internally under that name. (You also need a way to do this again when it expires every three months, so it might be useful to look into running the client on the backend server itself. This should be possible if it can make outgoing HTTPS connections ā€” to request the certificate ā€” and if it can also somehow update the DNS records.)

16

Hmm! Very interesting! Running it on the backend server would be delightful! I need to pepper you with a few questions, if you donā€™t mind?

I would be interested in two modes of acme.sh: dns-mode and standalong-mode

The dns-mode requires interactive and adding a TXT record to my dns. You seem to suggest the standalone-mode which has two modes: Standalone server to issue cert and Standalone TLS server to issue cert.

If the application server (backend server) can make outgoing HTTPS connections then running the client on the backend server suggests the best mode is Standalone TLS server to issue cert?

Thanks @schoen , I am having fun!

1 Like
17

Hi @Anthon,

I think the dns-mode is what you want, not the standalone-mode. If the standalone-mode is akin to the standalone feature of Certbot, it involves running a temporary web server on the machine that will obtain the certificate; but if that machine is behind a firewall and canā€™t receive incoming connections from the Internet, that wonā€™t work, because the CA wonā€™t be able to contact the temporary web server. Instead, the dns-mode would be able to make publicly-visible changes to your DNS records for those host names, and the CA would be able to see those changes.

The ability to make outgoing HTTPS connections is necessary in either mode in order to make requests to the Letā€™s Encrypt CA server.

Glad to hear it!

1 Like
18

Hi
Working to LE an internet accessible LAN server. But there were errors. Below is what was done.

1 Download the files for installation

$ git clone https://github.com/lukas2511/dehydrated.git
$ git clone https://github.com/jbjonesjr/letsencrypt-manual-hook.git dehydrated/hooks/manual

2 As indicated by instruction, issued the following command

[name@awesome gitprojects]$ ./dehydrated/dehydrated -c -t dns-01 -d nc.server.com -d www.nc.server.com -k ./dehydrated/hooks/manual/manual_hook.rb

# !! WARNING !! No main config file found, using default config!

  • Generating account keyā€¦
  • Registering account key with ACME serverā€¦
    Processing nc.server.com with alternative names: www.nc.server.com
  • Signing domainsā€¦
  • Creating new directory /home/name/gitprojects/dehydrated/certs/nc.server.com ā€¦
  • Generating private keyā€¦
  • Generating signing requestā€¦
  • Requesting challenge for nc.server.comā€¦
  • Requesting challenge for www.nc.server.comā€¦
    /usr/bin/env: ruby: No such file or directory

First error: # !! WARNING !! No main config file found, using default config!
Second error: /usr/bin/env: ruby: No such file or directory

What / where is the main config file and does ruby needs to be installed ? [I have installed ruby now]

Is there a trial run option?

Thanks

19

Hmmā€¦ Is anyone here familiar with dehydrated?

(You might get more responses starting a new top-level thread that mentions dehydrated in the thread title.)

1 Like
20

dehydrated tries to find the config file in the following locations:

  • File name specified by the -f <file> (--config <file>) command line option.
  • /etc/dehydrated/config
  • /usr/local/etc/dehydrated/config
  • ./config (in the current directory)
  • ${SCRIPTDIR}/config (in the same directory as the dehydrated script)

An example of the config file is provided in docs/examples/config.

Other files, such as domains.txt and the certs directory, are expected to be located in the same directory as the config file (but this can be changed by setting the appropriate variables in the config file).

This error comes not from dehydrated itself, but from letsencrypt-manual-hook ā€” this hook is implemented as a Ruby script, therefore you need to install ruby to make it work.

Looks like dehydrated does not have a ā€œdry runā€ option; however, you can test with the staging CA to avoid running into rate limits.