I have a nginx server used as a proxy server to multiple sites. I have one configuration file using proxy_pass to redirect traffic to a local ip of 192.168.1.166:
_____________________________________________________
server {
listen 80;
listen [::]:80;
I installed lets encrypt using the command sudo certbot --nginx
on 192.168.1.166 and have a configuration file:
server {
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/blownup.space/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/blownup.space/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
root /var/www/blownup.space;
index index.html index.htm index.nginx-debian.html;
server_name www.blownup.space blownup.space;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# proxy_pass http://127.0.0.1:8080;
}
}
server {
listen 80 default_server;
listen [::]:80 default_server;
if ($host = www.blownup.space) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = blownup.space) {
return 301 https://$host$request_uri;
} # managed by Certbot
root /var/www/blownup.space;
index index.html index.htm index.nginx-debian.html;
server_name www.blownup.space blownup.space;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# proxy_pass http://127.0.0.1:8080;
}
}
Do I need to run the command on the first machine also or only? And how do I run the command for a specific configuration file, not the default?
Generally if you are running a proxy server for an internal network, you’ll only want to setup SSL/Certbot on the proxy server, not on the internal servers.
So in your instance I don’t think you actually want to be running Certbot on 192.168.1.166 - just listen on port 80 there.
And on your proxy server, issue SSL certificates for each of your proxied virtual hosts with e.g.:
The first machine is passing all port 80 traffic to the second one.
So the second one can authenticate for itself.
Commands are specific to FQDNs.
Which should match up to individual vhost configs.
Based on this:
It seems you have already obtained certs on that second system.
You can review certs issued, the FQDNs covered, and their expiration dates easily with: certbot certificates
So...
What problem remains?
Is the nginx also going to proxy port 443 traffic?
[that would require the nginx to terminate the SSL and thus also need matching certs]
Yes, what I need to know is how to proxy port 443 traffic with letsencrypt? Can I just copy and paste the certificates to the proxy server and set the configuration the same? or do I run Certbot on the proxy server? I do have port 443 open and directed to the proxy server from my router.
It seems like I can have certbot certifications on the proxy server and redirect anything coming through the 443 port to the local server, However is there a flag I can use to use with installing certbot for a specific configuration file? in this case /etc/nginx/sites-available/blownup.space
You can use the --nginx plugin which should try to parse the nginx config and update it accordingly to use https on the given config (covering the given domain/FQDN).
You can also specific which domain/FQDNs you want it to specifically address with -d blownup.space -d www.blownup.space
[if the www also exists]
So a good place to start is: certbot --nginx -d blownup.space
or certbot --nginx -d blownup.space -d www.blownup.space
[whichever matches the server_name {list of name(s)} in the vhost config covering that name]
If that fails, reply with the exact command ran and the error message returned.
You are awesome, that was it. I didn’t have to actually make any changes on the server with the files, only on the proxy server.
I ran the command you suggested on the server using proxy_pass:
certbot --nginx -d blownup.space
This was all I had to do no further configuration. thank you for helping me clean things up