Some help needed

I have a domain networkingtechnology.org, hosted by HostUpon in Canada.

I have a sub-domain - corp.networkingtechnology.org hosted in my office. We have 2 x ML110 HP Proliant G6 servers with ESX 6

I have my own GroupWise 7 mail server, and three Apache Virtual servers: techsup.corp..., writing.corp... and music. corp...

We don't really use the networkingtechnology.org domain. The MX record is forwarded to my own mail server and we use an OPNsense Firewall.

My question is:
Can I create SSL Certs for my webservers on corp.networkingtechnlogy.org or do I have to get HostUpon to install Let's Encrypt and include the corp. subdomain.

1 Like

Sure, though how you'd go about it would depend on some details you haven't mentioned. Depending on who hosts your DNS, the simplest way to do it might be using DNS validation.

11 Likes

I host my own DNS on windows servers but not on AD servers. We do have 2 x AD servers, but I chose to keep the DNS independent.

The only thing on HostUpon is the Domain name and everything else is hosted on corp.networkingtechnology.org which are in my office. T
That way, I can do my own security.

1 Like

It's certainly possible, but most people coming to this Community run a relative simple setup, e.g. a single non-virtualised host running Linux and a webserver. Your setup with multiple virtual servers make it a little bit different, but certainly not impossible.

If all the webservers have their own hostname, you can just get a certificate for that single hostname on that host. So that for all Apache host you have 3 single certificates, one per host. And if your GroupWise mailserver also has its own host, you probably could get a certificate for that one too.

If you wish to have a single wildcard cert for all hosts, things get a little bit more difficult I recon tho.

11 Likes

Hi @HankM, and welcome to the LE community forum :slight_smile:

If the Apache web servers can respond to HTTP, then you should be able to get certs for any names that can be used to reach them.

11 Likes

I like to check out the water before I leap in.

These servers are running over http on CentOS 7. Let us suppose I install the certificates for them right now.

In 6 months time, if I want to move those web servers over to Centos 8 on a spanking new server, what happens then? Do the certificates transfer as well or do I have to create new ones?

1 Like

If you copy the entire contents (without modification) of the /etc/letsencypt/ folder, then, yes.
Otherwise, you can also just get all new ones.

9 Likes

Thanks, I guess all that's left to do now is try to install them and hope t works. Knowing my luck, I'll probably be back asking for help!

2 Likes

I musy be psychic, but then again, nothing on Linux ever works for me first time.

Account registered.
Requesting a certificate for corp.networkingtechnology.org

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: corp.networkingtechnology.org
Type: connection
Detail: 79.132.230.61: Fetching http://corp.networkingtechnology.org/.well-known/acme-challenge/lugeH90-_PfIZkuCTCFhR3a_tKLl8yIOLLMD70l_hIg: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

1 Like

Port 80 needs to be accessible from the internet for the http-01 challenge to work.

10 Likes

Port 80 and port 443 are open on the CentOS 7 firewall AND on my OPNsense firewall. The virtual servers are accessible on http (port 80)

1 Like

Well, I can't connect to your site anyway, timeout. Nor can LE. So something must be blocking connections still.

10 Likes

Funny. I get the same reply from techsup and I know you can get to that one.

Requesting a certificate for techsup.corp.networkingtechnology.org

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: techsup.corp.networkingtechnology.org
Type: connection
Detail: 79.132.230.61: Fetching http://techsup.corp.networkingtechnology.org/.well-known/acme-challenge/wMTuPheDZ8nYT_EWL9x8hweVpQziRzdWhk4QdJyiA8s: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

1 Like

I can't hit any of your servers via http, ping and traceroute. Do you have a firewall rule blocking access by the public internet?

11 Likes

It's past my bedtime here 23:12. I'll check it out tomorrow. I must be missing something.

3 Likes

How would you know that? Because it isn't the case, also a timeout for the techsup subdomain here..

10 Likes

It's my Firewall. We used Smoothwall Express 3.1 for years with no problems, but it seems to have stagnated, so we installed OPNsense. It's been running for two weeks so no one has been able to access our websites. They work fine form INSIDE the firewall. I just fire up a VPN to test it.

I'm working on a solution. OPNsense is much more complicated than Smoothwall and the OPNsense Forum leaves a lot to be desired. One hardly ever gets a response to a question.

If I can't get it sorted by the weekend. we'll just move back to Snoothwall Express.

I'll get back to you if I still have problems when it's working on the firewall.

Thanks for the help so far. I may be back!

4 Likes

It's not the Firewall, it's a defective router that my ISP supplied. I have to wait until next week to get it replaced.

3 Likes

OK I got everything fixed. Installed a certificate for corp.networkingtechnology.org. It found my two sites techsup.corp... and writing.corp...
I ran Qualsys SSL test and corp is fine, but the two forums failed and dont have the lock and show as insecure when I go to the site.

I guess there are more steps I'm missing.

Can you please help?

2 Likes

Each name needs to be in a cert.
[simplest is to get one cert with all the names on it]
I only see one cert, with one name on it:
crt.sh | corp.networkingtechnology.org

6 Likes