Using let's encrypt in the backend server

I created a let’s encrypt certificate for my domain and installed in my nginx reverse proxy. Now, I want to create a certificate for my backend server that has the same domain as the reverse proxy using let’s encrypt. How can I create this certificate for the backend server?

1 Like

You can try to either pass the certificate to the backend server (from proxy) or to use DNS validation and obtain certificate with TXT records

I encountered a similar challenge in the past and didn’t want to use the DNS challenge.

Assuming the reverse proxy and backend server are both nginx, you can do something like this.

On the frontend nginx

server {
        listen 80;
        root /var/www/html;

        location /.well-known/acme-challenge/ {
                root /var/www/letsencrypt;
                try_files $uri @backend;
        }

        location @backend {
                proxy_pass http://1.2.3.4;
        }

}

On the backend nginx (1.2.3.4)

server {
        listen 80;
        root /var/www/html;

        location /.well-known/acme-challenge/ {
                root /var/www/letsencrypt;
        }
}

So, on either server, you can run webroot-based issuance and it will succeed:

certbot certonly --webroot -w /var/www/letsencrypt -d example.org

When the first server encounters a Let’s Encrypt request that it doesn’t have a matching file for, it will pass the request onto the backend server.

The same concept might be adaptable to other webservers.

3 Likes

Thanks for your response but I don’t want to use the same certificate for both the server and the proxy. Indeed, I want to perform an authentication between them and HTTPS transmission using SSL certificates.

1 Like

Thanks so much such configuration doesn’t lead to a same certificate on both the server and the proxy ?

1 Like

No, you would be creating two different certificates, backed by different private keys and different Let’s Encrypt accounts.

The Certbot running on your reverse proxy would not know about the Certbot running on your backend, and they wouldn’t share any information.

To grossly simplify, we are just sharing the /.well-known/acme-challenge/ directory, so that we can issue a certificate from either server.

To be clear: you would run Certbot twice - once on each server. This produces two different certificates.

5 Likes

Thanks so much, I will try it +1:

3 Likes

My website is already active in cloudflare and I use only their DNS service and the cloudflare proxy is disabled. When I create a let’s encrypt certificate for my nginx reverse proxy. I get this error:

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My nginx configuration:

server {
   listen 80 default_server;
   listen [::]:80 default_server;
   root /var/www/html;
   server_name jcp-connect.fr;
   index index.html index.htm index.nginx-debian.html;

   location /.well-known/acme-challenge/ {
            root /var/www/letsencrypt;
            try_files $uri @backend;
    }

    location @backend {
            proxy_pass http://jcp-connect.fr;
    }
   }
1 Like

Hi @amelroua

checking your domain your port 80 doesn’t answer - https://check-your-website.server-daten.de/?q=jcp-connect.fr

Domainname Http-Status redirect Sec. G
http://jcp-connect.fr/ 176.139.8.11 -2 1.123 V
ConnectFailure - Unable to connect to the remote server
http://www.jcp-connect.fr/ 176.139.8.11 -2 1.144 V
ConnectFailure - Unable to connect to the remote server

Same with /.well-known/acme-challenge/random-filename.

A working port 80 is required if you want to use http validation. Looks like a firewall or something else, that blocks.

1 Like

I disabled the firewall but I have the same problem
sudo ufw status
État : inactif
I don’t know from where the problem comes. Should I modify the configuration of my web server?

I solved the problem of port 80 but I still have a failing challenge:

Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for jcp-connect.fr
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification…
Challenge failed for domain jcp-connect.fr
http-01 challenge for jcp-connect.fr
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.