Install certificate to servers running behind firewall

Hi there,

I’ve just installed certificates using the instructions bor Ubuntu and everything works great.

However, I needed some help with my particular setup where I’ve got multiple servers behind a firewall.

Here’s a simple network diagram that best explains what I have

[Internet]
|
|
|
[Router Port Forwarding]
|

  • Server 1 [Port 80/443] Apache CertBot installed
  • Server 2 [Port 8080/8443] Email Server

I suspect this might be common question that people have, but I have certbot installed and setup on server 1, and everything works fine and is secure.
However, server 2 doesn’t have proper security settings and is also running a email Webserver and doesn’t show up as secure.

So my question is: what do need to do to make sure that even server 2 shows the correct security certificates (from server 1)?

Server 2 is a legacy system and I cannot make changes to it.

Thanks
AK

1 Like

Have you considered giving Server1 the role of reverse proxying traffic for Server2?

That way, you could use the same certificate for both 443 and 8443, and avoid touching Server2 at all.

3 Likes

I suppose that should work very nicely.

But out of curiosity, is there an alternative method?

Sure, you could create a --deploy-hook that copies the certificate and private key to your mailserver and reload the mailserver, every time the certificate is renewed.

Pros: your mailserver doesn’t require your webserver to be online to proxy traffic for it
Cons: More moving parts, more DIY scripting required, webserver needs to be authorized to run commands on your mailserver.

1 Like

You may be able to use a separate acme client with DNS authentication on server 2.

Pros:

  • completely independent of server 1
  • can even be the exact same name used by server 1

Cons:

  • DNS authentication is much more complicated than HTTP authentication
  • requires using a supported DNS provider

My preference thou would be to reverse proxy via server 1 - just for the record :wink:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.