Obtaining Certificates for Services Running On Different Servers but With Same Public IP

Yeah, I don’t know what i’m doing.
I am all new into this, and before i post this, I PROMISE I have searched the web for 3 days to find a solution. The thing is that I had almost no knowledge in linux/ubuntu/debian, but I just jumped right into it.

Here is my setup:
I have one PI (A) running debian, I installed let’s encrypt on this, with a duckdns to my home IP address and i works fine and everything. My router is forwarded from port 448 (https) to the this service on this PI(A).

Then I have another PI (B) running debian, and a webserver and several domains.

This is what is want:
I don’t want to use the duckdns domain any more, I have my own domain that i want to use.
I want to host https sites the PI(B) running webserver, and I want the service running on the PI(A) to be https as well.

I used a tutorial guide to setup let’s encrypt on the PI (A), so I kind of know what it’s all about, but I have no idea where to start on solving this problem.

Let me know if you need any additional information.

I apologize for my English and my lack of know-how, hope someone understands my situation and can help.

Hi @filip,

How are you expecting to distinguish between the two sites once they are both set up? How will you indicate that you want to access one of the Pis as opposed to the other one?

By the way, HTTPS is on port 443 rather than 448.

Hi! So, this is not a particularly straighforward question, and the answer depends heavily on what web server you’re using. The problem is, unless you have a very smart router (you probably don’t, they cost a lot), it’s going to have no way of knowing which host to forward traffic to based on URL. (There’s also the issue of the TLS handshake but we won’t worry about that quite yet.) So, what you’re basically going to have to do is pick one of the two Pi’s to be the outward-facing web server - probably the beefier of the two on memory, although it’s not really a big deal. This one will be configured as a “reverse proxy” for the other.

Example time! Let’s say you make A the outward-facing one serving apples.com and B the proxied server serving blueberries.com. You will need to forward 443 (not 448 - HTTPS is 443) to A. A will then need to have a certificate with both apples.com and blueberries.com on the same cert. In your web server config, you’ll have apples.com set up like normal, and blueberries.com set to proxy requests to B.

I do this exact same thing with nginx, the directive you would use for A forwarding to B is proxy_pass https://blueberries.com/ inside the server block for blueberries.com on A’s config.

hi @filip

as @jared.m pointed out what if you have two different domains a.com and b.com resolving to the same public IP (which you seem to do) then you need to use a layer 7 proxy to control the traffic

There are several ways of solving this

The easiest way is to use a third raspberry pi as a dedicated load balancer. at $35 a pop it’s not a biggie

A) Router HTTP/HTTPS --> RPI3 - SITE A -> RPI1
- SITE B -> RPI2

Because RPI3 is the “Front Facing Server” you can configure SSL on this server only as the backend connections (to RPI1 and RPI2)

You can also have end to end encryption and install certificates on both of these as well

B) With Two Raspberry PI

Router --> RPI1 --> SITE B -> RPI2

RPI1 will need to write a reverse proxy

C) What software to use for Layer 7 proxying

As @jared.m suggested NGINX is a good proposal however recently I have started using Caddy web server for these kinds of problems.


Hi @jared.m, schoen
Thanks for taking the time to answer my questions.

@ahaw021 Your A solution might actually be something I think I would be able to setup with my level of experience. Or at least I think I understand it.

But guys, what if I just moved my home automation-service from PI(A) to PI(B) and only run on one machine (all though I would rather not). How do I move the certificates to PI(B) or delete it, and how do i change the domain that I wanted to change? If I just delete the files and the certificate expires, can I just start over like I did the first time with a new domain?
About removing from PI(A) can you help me, like with what commands I a have to run? :confused:

if you want to consolidate both servers on to one raspberry pi then that’s not a problem

move the web server configs etc to a raspberry pi

then run the -expand flag and add the domain for the domain you transferred over.

This will create a new certificate with the original domain and the new domain.

But it does have the advantage that your certificate chain is updated

Have a look at -expand here: Reverse Engineering Certbot Expand Option to Use with Another Client


Hi Andrei,
I gave up on the other solutions and I moved my home assistant service together with the Apache server (only one RPI). Now. To do what you say would this be it? Sort of: https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-as-a-web-server-and-reverse-proxy-for-apache-on-one-ubuntu-16-04-server

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.