Trying to create a certificate for a RHEL internal server

From your output from netstat it says that the Java engine is the program with an open tcp port not httpd or Apache. You don’t need to have the same port for certificate use as you do when setting up the certbot authentication, however certbot needs to be run once every 6 months.

The main problem you are having is with understanding what exactly a SSL issued by a trusted authority entails. The SSL certificate is coded with a DNS address that lets the client know that it is on the right server, and not being hacked. In order for an authority to grant an SSL cert for a DNS address, you must first have a valid DNS address that can be looked up through a public DNS server.

Yes I could make a DNS entry for say iown.google.com, and enter that with my local IP address into my router’s /etc/hosts file and use it as a working DNS address LOCALLY, however an authority can not access that URL because it doesn’t exist.

So first you need to set up a DNS address with someone like Google domains, GoDaddy, Amazon, etc etc

After you have that done, you need to set it up for whatever external to your network IP address can be used to access your internal server. Your internal server may be 10.0.0.100, but your network has an external IP address and your router can forward port 80 and 443 to 10.0.0.100.

So second, you need to have your server accessible from the outside world, and it will need to be this way every six months for the certbot to work. If it doesn’t have a world accessible IP address, than port forward through your main networking router etc etc, they do not put out a list of used IP addresses by certbot so this is temporary, again every six months.

Now I know fedora has a default splash screen for Apache web server when nothing is configured, so you must enable Apache (should be already)

systemctl enable httpd
systemctl start httpd
dnf install certbot

The main certbot HTML page says it’s
dnf install certbot-apache
I remember it as just certbot

After this just run the certbot with
certbot --apache
This time use the DNS address that you set up with Google domains or whatever, and it should be easy peasy.

After you are done with all of this make sure you remove the external port forwards on the main network router and then add a line in the hosts file of your main network router that is the authoritative DNS server for your network with your paid for DNS name and the internal IP address of the server.

Every 6 months you will have to re-enable the external port forwards run certbot and then remove the external access, along with having to update your dns record with the person you bought the address from if your external IP address has changed.

I think that is it…

Idk

Thanks for all the info Chris. In a previous reply I was told that Cacert.org’s certificates are not usually recognized as valid so I think the 1st thing we are going to do is purchase an inexpensive certificate from another source, as the one from Cacert.org was a free one. Although it isw strange that we got theirs working on the previous server that had Jira and Confluence running on it.Then we will go from there. BTW I do already have ports 8443 & 8444 opened up on our firewall so we can access Jira and Confluence from outside our office.
Thanks again.

You are still going to have to have a external accessible DNS address and you are still going to have to have your server accessed by some authentication method. At least from my stand point

Yes I understand. I will visit with my boss about that when/if he comes into the office today.
Thanks again.

You mean "every two months." LE certs are good for 90 days, and it's recommended to do the renewal about a month before expiration.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.