I created a let’s encrypt certificate for my domain and installed in my nginx reverse proxy. Now, I want to create a certificate for my backend server that has the same domain as the reverse proxy using let’s encrypt. How can I create this certificate for the backend server?
1 Like
You can try to either pass the certificate to the backend server (from proxy) or to use DNS validation and obtain certificate with TXT records
I encountered a similar challenge in the past and didn’t want to use the DNS challenge.
Assuming the reverse proxy and backend server are both nginx, you can do something like this.
On the frontend nginx
server {
listen 80;
root /var/www/html;
location /.well-known/acme-challenge/ {
root /var/www/letsencrypt;
try_files $uri @backend;
}
location @backend {
proxy_pass http://1.2.3.4;
}
}
On the backend nginx (1.2.3.4)
server {
listen 80;
root /var/www/html;
location /.well-known/acme-challenge/ {
root /var/www/letsencrypt;
}
}
So, on either server, you can run webroot-based issuance and it will succeed:
certbot certonly --webroot -w /var/www/letsencrypt -d example.org
When the first server encounters a Let’s Encrypt request that it doesn’t have a matching file for, it will pass the request onto the backend server.
The same concept might be adaptable to other webservers.
3 Likes
Thanks for your response but I don't want to use the same certificate for both the server and the proxy. Indeed, I want to perform an authentication between them and HTTPS transmission using SSL certificates.
1 Like
Thanks so much such configuration doesn’t lead to a same certificate on both the server and the proxy ?
1 Like
No, you would be creating two different certificates, backed by different private keys and different Let’s Encrypt accounts.
The Certbot running on your reverse proxy would not know about the Certbot running on your backend, and they wouldn’t share any information.
To grossly simplify, we are just sharing the /.well-known/acme-challenge/ directory, so that we can issue a certificate from either server.
To be clear: you would run Certbot twice - once on each server. This produces two different certificates.
5 Likes
Thanks so much, I will try it +1:
3 Likes
My website is already active in cloudflare and I use only their DNS service and the cloudflare proxy is disabled. When I create a let’s encrypt certificate for my nginx reverse proxy. I get this error:
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My nginx configuration:
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
server_name jcp-connect.fr;
index index.html index.htm index.nginx-debian.html;
location /.well-known/acme-challenge/ {
root /var/www/letsencrypt;
try_files $uri @backend;
}
location @backend {
proxy_pass http://jcp-connect.fr;
}
}
1 Like
Hi @amelroua
checking your domain your port 80 doesn't answer - https://check-your-website.server-daten.de/?q=jcp-connect.fr
| Domainname | Http-Status | redirect | Sec. | G |
|---|---|---|---|---|
| • http://jcp-connect.fr/ 176.139.8.11 | -2 | 1.123 | V | |
| ConnectFailure - Unable to connect to the remote server | ||||
| • http://www.jcp-connect.fr/ 176.139.8.11 | -2 | 1.144 | V | |
| ConnectFailure - Unable to connect to the remote server |
Same with /.well-known/acme-challenge/random-filename.
A working port 80 is required if you want to use http validation. Looks like a firewall or something else, that blocks.
1 Like
I disabled the firewall but I have the same problem
sudo ufw status
État : inactif
I don’t know from where the problem comes. Should I modify the configuration of my web server?
I solved the problem of port 80 but I still have a failing challenge:
Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for jcp-connect.fr
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification…
Challenge failed for domain jcp-connect.fr
http-01 challenge for jcp-connect.fr
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: jcp-connect.fr
\n <meta name=\"viewport\" content=\"width=device-w"
Type: unauthorized
Detail: Invalid response from
http://jcp-connect.fr/.well-known/acme-challenge/tdOWhxrzlpNS6rUY8ZfXhL0z2NeHYrYMUd88IhTEi_s
[176.139.8.11]: "\n<html lang=“en”>\n \nTo fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.