I’m just doing the research here.
I’m using ISS ARR (Application Request Routing) as a reverse proxy to connect to some servers running Apache on Windows and IIS. I need the certificate to be updated on both hosts.
How would I update the same certificate or host name on both a windows instance of a reverse proxy site and an Apache in Windows instance or internal IIS website. Or would I just use a separate certificate instance for every appearance of that hostname?
It seems like this is a scripting task that might involve writing a PowerShell or bash script to perform the certificate installation when the certificate is renewed. Many Let’s Encrypt clients allow you to specify a script to run upon renewal; for example, with Certbot, you can specify --deploy-hook to indicate a script which will be run when the certificate is renewed (and Certbot provides environment variables to tell the script which certificate has been renewed and where the new files are located).
Alternatively, you can use separate certificates if you want. Let’s Encrypt will allow you to create up to 5 different certificates per week with duplicative subject names.
Alternatively, perhaps you could terminate TLS on the reverse proxy itself, in which case only the reverse proxy would need to have the certificate and private key. But this might not be appropriate in some applications depending on the trust relationships and how powerful the server hardware is.
Ok, thanks for the quick response. I’m thinking multiple certificates is probably going to be the best option. SSL offloading would be nice but there are other prohibitive factors.
There is also the issue of the 1:1 ratio of certificates to Public IP addresses that is a factor. A SAN cert and Wildcard cert would be required on the proxy, whereas not on the individual protected sites.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.