LetsEncrypt cert setup with proxy server question

Hi all,

I have a functioning, existing webserver (Ubuntu22LTS/Nginx/PHP/Mysql/LetsEncrypt) that is directly behind the router. I am trying to put it behind a proxy server (Ubuntu22LTS/nginx/LetsEncrypt). The only extra function I would like the proxy to handle is the LE certs for all the servers that will be behind it.

I have setup the proxy server and have setup LE on it with all the domains that I am using, but I do have a question.

My question is about the existing webserver. How do I setup the webserver to use the proxy LE certs? Should I just completely uninstall the certbot and somehow edit the /etc/nginx/sites-available/DOMAIN.conf file?

How do I do this?

Can't really find a functional answer on my searches.

Regards

Do you want to use HTTPS between your proxy and "all the servers behind it" ?

Or is HTTP satisfactory? If they are all on the same local network this may be fine.

Why not just use SSH keys and rsync to distribute the certificates to the webservers using custom scripts and a deploy hook?

Unless you use DNS-01 authentication, you won't be able to simply get a cert from LE in two different systems. You can't share the HTTP-01 authentication requests:

• if the proxy catches it, then the server behind it can't use it [keeping servers at HTTP]
• if the proxy ignores it, then it can't obtain a cert for it [breaks HTTPS proxy capabilities]

That said, there are less simple ways to get a cert for the exact same name into multiple systems.

• Using DNS-01 [where possible] is the simplest way
  [each system can independently obtain its' own certs]
• using a "central" certificate system that can share the certs with all the systems that need them
• using scripts to copy certificates from one system to another

You need to review the available options and decide which it best for you:

• Does your DSP support API updates to your DNS zone?
• Do you need HTTPS between the proxy and the servers?
• Do you need the exact same cert in both places [or just the same name]?
• Can you setup, and maintain, a dedicated certificate management system?
• How proficient are you with scripts?
• How simple do you need the "solution" to be?

8 posts were merged into an existing topic: Cert Expired Renewed Cert Still Expired?

Hi

Just the proxy needs the certs, http inside same lan is fine

Everything behind proxy is on the same lan

Can i remove uninstall the current webserver certs?

If so how?

Sure, is your proxy_pass already setup to connect to your backend server using HTTP? If not, do that. If so, then you no longer need the server block in your backend server for HTTPS (probably port 443).

Remove that HTTPS server block and restart nginx. Then go ahead and delete the certs. You could optionally delete Certbot although with all its certs gone it won't be doing much anyway.

I would do one step at a time and test after each step. That way if something goes wrong you can more easily restore.

See the below Certbot sections for more details on cert deletes
https://eff-certbot.readthedocs.io/en/latest/using.html#deleting-certificates

Once the certs are gone you can uninstall Certbot itself. Or, just delete the cronjob or systemd timer that does the auto-renew. See below
https://eff-certbot.readthedocs.io/en/latest/using.html#automated-renewals

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.