I really need some hand-holding here. I’m very much in the dark as to how this works - but I need SSL or my site won’t work - thank goodness for LetsEncrypt and CertBot!
However, being old and slow, I’m foggy in a number of areas.
Is the certificate tied to an IP address?
Is the certificate tied to the domain AND the subdomains or just the domain. So do I need to get a certificate for me.example.com and you.example.com or just example.com
This is a biggie. I’m currently splitting my service over several ARM microservers. I don’t get a lot of traffic as I just host some basic services for myself and a couple of close friends. (Hey, wait, this sounds creepy!)
But seriously, there’s a front end (nginX) reverse proxy shuffling stuff to the respective microservers (which are a mix of Apache on Debian Jesse and nginX on Debian Stretch) so the $65,000,000 is where do I put the certificates? (And, naturally, where do I get them issued? Can I make the requests from my desktop machine OR do I have to use CertBot on the actual microserver.
I’m trying to host pods for Movim.eu and a GNUSocial box too - so you can see that I need security so those services can check my federated account. (It’s all over my head, I’m just making this up as I go.)
If any of this is unclear, please hit me up, because I’m really struggling.
Currently you need to get a cert for me.example.com and you.example.com. Some time next year it should be possible to get a wildcard cert for *.example.com but that's not available yet.
You can put them on the proxy or on the individual microservers. The latter is more secure, but if the connections between the proxy and the microservers are already secure (eg a trusted local network) then the difference is minimal.
For best results you should run certbot on the same machine that will have the certificates, as that makes automated renewals easier.
edit I should also mention, putting the certs in the microservers will somewhat limit the proxy's ability to route traffic conditionally to each one. I'm not sure if nginx can even do that; I know haproxy can, but it's limited to routing by hostname/port rather than path etc if it doesn't have the cert (or more accurately the private key).
Wonderful! I love it when people can answer a simple question so succinctly without being smug about it. It’s answers like this that restore a little faith in the Internet.
I can get HAProxy but what I know about it can be written on the back of a postage stamp with a blunt crayon. It’s too far above my pay grade, but I’ll give it a look as it is offered in DietPi which is my goto microserver for ARM when I’m in a hurry (*most of the time). It’s still at Debian Jessie which is a shame but you can’t have it all ways. HAProxy seems the best option for absolute speed but I doubt given my other bottlenecks of I/O and CPU I rather doubt I’d notice.
Guess I’d better give it a look though, see if I can make any sense out of it. I’ve been out of the business for a couple of decades and coming back it’s like… well, I’m sure you understand!