Hello everyone, I’ve been reading for about 4 hours now and can’t seem to find what I’m looking for. I have solved a few issues but I have one hanging one… Or I have seen the answer, I’m just not understanding it.
my network… single public IP with several servers behind it on different VLANS. I need to have access to servers from both LAN and WAN… Previously I only had a couple servers and was using paid SSL certificates. Installation was easy… Now I have more services and need SSL everywhere… here is where i’m getting stumped…
I have two dns views with bind, one for internal, one external. Internally when I request a site i’m given the 10.x.x.x Ip address, when accessing the same services outside the LAN DNS returns me to the WAN IP.
Now i’m trying to use Lets Encrypt and save hundreds a year in SSL… This is where my confusion begins…
I previously used (and still using) Apache Reverse Proxy… Almost all servers are Ubuntu 16, and soon to be 18 LTS. As I understand it, certbot will create a verification file on the requesting machine in order to create the certificate. I have no problem creating all the certificates for the Virtual Hosts on the Reverse Proxy server (before configuring the Proxy for the subdomains…), thats the easy part… Where it’s confusing me is once I configure the proxy and send all traffic to the internal machines certbot won’t be able to automatically renew the cert on the proxy, since the internal servers will receive the request, however the internal servers will have no problem renewing… Is that correct??
a quick rough diagram
|internet|-----|cisco router|----[reverse proxy]----[L3 switching]---|---vlan10----[ssl server 1:443 - a.domain.com] | |---vlan20----[ssl server 2:443 - b.domain.com] | |---vlan30----[ssl server 3:443 - c.domain.com] | | | [internal LAN]
In a nutshell, Is it possible to have auto updated SSL on both the proxy and the internal servers?
The more I read the more I learn, but the more confused I am with all the options.
Thanks, and I’m sorry if this has been answered already I likely am just not understanding the solution.
example vhost configs on the proxy, DNS is answered by tine internal view, so the local IP is returned for the domain name. Each vhost is a separate file.
<VirtualHost *:443> SSLCertificateFile /etc/letsencrypt/live/a.domain.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/a.domain.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf #LogLevel emerg ServerName a.domain.com ServerAdmin firstname.lastname@example.org DocumentRoot /var/www/vhosts/a.domain.com/htdocs/ ErrorLog /var/www/vhosts/a.domain.com/logs/ssl-error.log CustomLog /var/www/vhosts/a.domain.com/logs/ssl-access.log "combined" SSLProxyEngine on ProxyPreserveHost On # Servers to proxy the connection, or # List of application servers Usage ProxyPass / https://a.domain.com/ ProxyPassReverse / https://a.domain.com/ </VirtualHost> <VirtualHost *:443> SSLCertificateFile /etc/letsencrypt/live/b.domain.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/b.domain.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf #LogLevel emerg ServerName b.domain.com ServerAdmin email@example.com DocumentRoot /var/www/vhosts/b.domain.com/htdocs/ ErrorLog /var/www/vhosts/b.domain.com/logs/ssl-error.log CustomLog /var/www/vhosts/b.domain.com/logs/ssl-access.log "combined" SSLProxyEngine on ProxyPreserveHost On # Servers to proxy the connection, or # List of application servers Usage ProxyPass / https://b.domain.com/ ProxyPassReverse / https://b.domain.com/ </VirtualHost>