Trying to understand LetEncrypt with multiple domains

mbc99 · November 25, 2020, 12:04pm

Up until now I have been running LetsEncrypt with DuckDNS with no problems whatsoever. The problem now is that I have created another DDNS that points to the same home network (bascoserver.hopto.org). Running SSL diagnostics reveals that the certificate is OK except for the fact that the domain names don't match. The DDNS address on the certificate matches the one on the other DDNS.

So I have a couple of questions on how to resolve this issue:

Can I create and renew the LetsEncrypt certificates from diffrent computers without running into this problem?
I ask that because the first DDNS and SSL certificate are managed by hassio, so poking into that can be tricky.
The problem will be solved if I create both certificates at once? This means running:
sudo certbot -d bascoserver.hopto.org -d caleino.duckdns.org
Then I would have to export the certificate to the necessary machines, but that's another issue.
Is there a better way to tackle this?

Rip · November 25, 2020, 10:27pm

@mbc99 Hello and welcome to the community forum!

So if I read this correctly, you have 2 hosts.

caleino.duckdns.org is secured with a LE certificate, is functioning correctly and reachable from the internet.
bascoserver.hopto.org is being served from a SECOND machine on the same network. (It is also functioning, but lacks a certificate so far.)

You should not have problems installing certbot on your second server and running it independently to obtain a certificate for bascoserver.hopto.org.

No need for that.

sudo certbot -d bascoserver.hopto.org

SHORT ANSWER:
Go for it! And please come back with the results!

Good Luck

mbc99 · November 25, 2020, 10:46pm

Thanks for the reply.

Correct

Not exactly. I already tried installing the certificate with
sudo certbot -d bascoserver.hopto.org
The certificate is created, but when I go to https://www.ssllabs.com/ It tells me that the certificate domain name doesn't match the domain. So the certificate name doesn't match bascoserver.hopto.org. It instead matches caleino.duckdns.org

Rip · November 26, 2020, 1:25am

OK since you have one cert , working on one server, for one domain.... Lets move on to your second server. (Server 2)

Is certbot installed on your second server (Server 2) where bascoserver.hopto.org lives?

Did you run the command from there (Server 2) or did you run the command from server 1 expecting to copy or move the cert over?

More data required or you might get the right answer for the wrong question..

jsha · November 26, 2020, 1:38am

Another question to add to @rip's: When you're done, do you want bascoserver.hopto.org to connect to one of your servers behind the firewall, and caleino.duckdns.org to connect to a different server behind the firewall? If so, you're going to have to assign an alternate port (e.g. :8443) to use with one of those hostnames. Also, that introduces some challenges in terms of which server is answering the challenges to get certificates.

Rip · November 26, 2020, 1:47am

You are spot on @jsha . It seems that both domains are serving the same content, and using the same IP (88.15.114.240) so it would be helpful to know more about @mbc99's vision of what the end result would look like. Lets get it right.

(edited to blur IP)

rg305 · November 26, 2020, 1:16pm

SNI solves the multiple names on a single IP problem.
Now who will be performing the SNI logic?
I have not yet seen a firewall capable of routing based on inbound URL/SNI destination.
So, all inbound requests will be set to one single internal IP.
That internal system will need to proxy those requests to their respective endpoints.
You could have everything in your network secured - it could be dozens of certs.
But you only have one external IP - you first need a broker, you need to use a "reverse proxy".

mbc99 · November 26, 2020, 6:23pm

Yes

From server 2

Yes.

Server 1 (using @Rip naming scheme) is using (among others) port 443
Server 2 will be using (among others) port 3000
Server 1 and Server 2 won't have ports used in common

Moreover, Server 1 and Server 2 are on the same physical machine under Proxmox. So they are under the same interface (each VM called Server 1 and Server 2 have diffrent IP's)

It might sound strange that two DDNS are pointing to the same IP (now you know where I live :)). But I want to do it (under the probably false pretense) for security.
But the more I read the more I think it's stupid.

That's what I was afraid of.

So it's impossible to have two DDNS working correctly on the same public IP without having to use reverse proxy or similar?

By the way, thanks for the massive support

rg305 · November 26, 2020, 6:31pm

Probably not worth the added effort, but worth mentioning.
You could assign one system to handle all the HTTP request.
So it would be fully responsible for all the certs and their renewals.
You would have to figure out how to synchronize the certs within all your internal systems.
Then you could access each system from the Internal over the same IP but to individually assigned ports.
So, for example:
port 8000 > DVR
port 8001 > Refrigerator
port 8002 > NVR
port 8003 > Toaster/Oven
LOL

OR
You could authenticate via DNS (not HTTP).
And remove the certificate manager system.
But then be left with the same non-overlapping port assignments.

So, you see, the most elegant method (that allows each device to use the default HTTPS port 443) would require using a reverse proxy.

That may sound insurmountable, but it is not.
Apache can do it easily.
Nginx can also do it easily (and better as far as I'm concerned).
So, if you can install either (or already have either installed) you can do this quite easily.

mbc99 · November 26, 2020, 6:48pm

Wow, a lot of new information.

I like this idea. I have installed proxmox so creating another VM or container wouldn't be an issue. I could create a shared folder or a NFS mount to share those certificates.

Then I would be able to create a certificate for both domains, so:
sudo certbot -d bascoserver.hopto.org -d caleino.duckdns.org
An share (via a local shared folder or a network folder) the certificate which would be the same for both domains, right?

rg305 · November 26, 2020, 6:55pm

Yes, that can work.

mbc99 · November 26, 2020, 7:03pm

Great!

Then I will probably give it a try, But I tried copying the certificate created from another VM into server 1 (which is HASSIO for HomeAssistant) and it didn't work.
But knowing it is possible I will give it another try.

rg305 · November 26, 2020, 7:09pm

You have to get the cert and the matching key file.
You can also verify that public cert and private key are matched (works for RSA and ECC) with:

  openssl x509 -noout -modulos -in public.cert.pem | openssl sha256
  openssl x509 -noout -modulos -in private.key.pem | openssl sha256

[resulting outputs should be exactly the same]

Note: certbot cert files are already in .pem formats; So there is no need to convert them

mbc99 · November 26, 2020, 7:22pm

But if I create a certificate for both DDNS, so:
sudo certbot -d bascoserver.hopto.org -d caleino.duckdns.org
I will only one of each of the four files that cerbot creates and so all the VM's (no matter what DDNS they are using) will have the same files right?

rg305 · November 26, 2020, 7:26pm

Yes the one certificate will work for both names so it will work on both systems.
But you only need to use two of the files:
the private key
and the fullchain

system · December 26, 2020, 7:26pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.