I have set up letsencrypt using winsimple and all is good. The server which cert is installed on renews without drama.
What I need is to update the cert which was imported to a proxy server that allows in communication.
I see it is possible have it update according to Multiple Webservers
So I was just wondering how we go about doing this in some more detail?
It depends on how you have things set up and what level of configuration you can make. You could try handling the certificate stuff on the proxy. Alternately, if you can point a specific URL path to a single server, you could use the webroot method on that server to get the certificate and then update the proxy server. You could also use the DNS validation method to handle the certificate without needing to adjust the proxy configuration.
All the proxy does is point internal traffic to the right server if the incoming name is valid, to a HTTPS version (hence the reason for cert to be on the proxy)
Which way do you recommend as the best option? and is there some documentation I could refer to?
Each setup is unique, so there’s not really documentation. Likewise, the best option depends on the situation. Webroot is usually very simple to implement and you don’t need to interrupt or interact with other services to use it. However, in some configurations, it may be impossible to use.
That said, I’m a fan of the webroot method because of its simplicity and recommend trying it first. If you can have the proxy serve a path from local content, you could run certbot on the proxy cleanly. Any other options will involve more complexity in that you’d need to copy certificate files or find a way to modify DNS records.
If you could make use of a local global alias on the proxy:
Alias /.well-known/acme-challenge/ /path-to-challenge/
You could catch all auth requests into one folder.
Then also include something like:
ProxyPass /.well-known/acme-challenge !
in the vhost files to NOT proxy the auth challenge requests.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.