Reverse proxy certificate CN question

nikoladsp · June 14, 2018, 12:45pm

Hi,
I have a server which is publicly available (ie myservername.mydomain.com). This server hosts virtual machine which is not accessible from the outside, only from the server itself and its name is say, myapi.mydomain.com. NGINX is on both, and myservername redirects traffic to myapi. Certbot certificates are all generated on myserver (for both myservername and myapi).

When using from web browser, everything is fine; but I have a need to consume some REST services from myapi using POCO C++, which constantly fails to verify myapi’s signature. After some research I find out that problem is in certificate’s CN: I always get CN for myservername alhtough URL targets myapi.

My question is: did I generate certificate properly for this scenario? I may try to add separate DNS record for the VM with different IP, but not sure will this work.

Thank you in advance

JuergenAuer · June 14, 2018, 1:48pm

Hi @nikoladsp

normally, it should work. Sounds like the webserver configuration doesn’t use the correct certificate. Not a problem of the certificate generation, more a problem using the certificates local.

You can use two different certificates myservername.mydomain.com and myapi.mydomain.com.

You can also create a wildcard-certificate *.mydomain.com and use this with both servers.

nikoladsp · June 14, 2018, 2:14pm

Thank you for the reply.

Here is the piece of myapi server NGINX on myserver:

listen 443;
server_name myapi.mydomain.com;

ssl on;
ssl_certificate /etc/letsencrypt/live/myapi.mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myapi.mydomain.com/privkey.pem;

And this is the part of the myserver’s NGINX:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name mydomain.com myserver.mydomain.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;       
    server_name mydomain.com myserver.mydomain.com;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/myserver.mydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/myserver.mydomain.com/privkey.pem;
    ...

I did not know that is possible to generate wildcard certificate with Cetbot. I may try this one.

JuergenAuer · June 14, 2018, 3:15pm

This needs ACME-v2, it’s available since ~~ march 2018. You have to use the dns-01 - challenge, so you need to add two dns-entries _acme-challenge (one *.example.com, one example.com).

nikoladsp · June 14, 2018, 4:09pm

Thank you kindly! I am on line with no-ip support which is my DNS provider.

Best regards

nikoladsp · June 14, 2018, 5:03pm

Sorry, I forgot to ask: if this is a good command:

certbot certonly --manual -d *.mydomain.com -d mydomain.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

system · July 14, 2018, 5:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.