Reverse proxy certificate CN question


#1

Hi,
I have a server which is publicly available (ie myservername.mydomain.com). This server hosts virtual machine which is not accessible from the outside, only from the server itself and its name is say, myapi.mydomain.com. NGINX is on both, and myservername redirects traffic to myapi. Certbot certificates are all generated on myserver (for both myservername and myapi).

When using from web browser, everything is fine; but I have a need to consume some REST services from myapi using POCO C++, which constantly fails to verify myapi’s signature. After some research I find out that problem is in certificate’s CN: I always get CN for myservername alhtough URL targets myapi.

My question is: did I generate certificate properly for this scenario? I may try to add separate DNS record for the VM with different IP, but not sure will this work.

Thank you in advance


#2

Hi @nikoladsp

normally, it should work. Sounds like the webserver configuration doesn’t use the correct certificate. Not a problem of the certificate generation, more a problem using the certificates local.

You can use two different certificates myservername.mydomain.com and myapi.mydomain.com.

You can also create a wildcard-certificate *.mydomain.com and use this with both servers.


#3

Thank you for the reply.

Here is the piece of myapi server NGINX on myserver:

listen 443;
server_name myapi.mydomain.com;

ssl on;
ssl_certificate /etc/letsencrypt/live/myapi.mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myapi.mydomain.com/privkey.pem;

And this is the part of the myserver’s NGINX:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name mydomain.com myserver.mydomain.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;       
    server_name mydomain.com myserver.mydomain.com;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/myserver.mydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/myserver.mydomain.com/privkey.pem;
    ...

I did not know that is possible to generate wildcard certificate with Cetbot. I may try this one.


#4

This needs ACME-v2, it’s available since ~~ march 2018. You have to use the dns-01 - challenge, so you need to add two dns-entries _acme-challenge (one *.example.com, one example.com).


#5

Thank you kindly! I am on line with no-ip support which is my DNS provider.

Best regards


#6

Sorry, I forgot to ask: if this is a good command:

certbot certonly --manual -d *.mydomain.com -d mydomain.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.