If I have a reverse proxy that proxies for a few different Virtual Machines, do I want to install the Lets Encrypt certs on the reverse proxy, or the VM’s individually?
If the certs get installed on the reverse proxy, do the forwarded requests from the proxy to the VM get passed unencrypted? If so, is there a way to insure that the proxied connection is also encrypted? That way if the VM has to be on a different machine than the proxy the connection from client all the way to the end point will be encrypted and secure.
I run a reverse proxy which provides TLS for all services on my network. I have a wildcard on the proxy, so all requests from the internet to the proxy are encrypted. It then passes them unencrypted to the host inside my network.
If you want to encrypt connections from the proxy inside your network, probably the best way I could think of is to use OpenSSL to make a private certificate authority and issue multi year certificates that are only trusted on your devices. At least that’s how I would do it (And I may sometime here in the future since I already have a CA).
The other option (terminating TLS on the end VMs instead of on the proxy) is also possible and is used in some configurations. It mostly depends on your preferences, system administration methods, and the capabilities of your proxy. In one case you might be proxying things at a different network layer than the other case. Let’s Encrypt doesn’t specifically require or expect one configuration or the other.
An advantage of terminating TLS on the proxy is that it may be simpler to get and renew your Let’s Encrypt certificates because you can run a Let’s Encrypt client application directly on the proxy to prove your control over the relevant domain names.
I will opt for the first solution, using the proxy to get the certificates and then using my own certs for the proxied connections. The client never knows about the proxied connections anyhow right?