Have Lets encrypt on two servers with a proxy between

cazz · February 2, 2020, 12:07am

I wonder what is the best and easy for me to maintenance my let encrypt?
I have a netserver that run as a proxy so if subdomain1.domain.com go to one server and subdomain2.domain.com go to another server.

Right now I do something it feel that is not a good idea and alot of work and that I do is on my proxyserver I run in the terminal a upgrade script for let encrypt and after that I copy the files to each server that I then import in nethserver. This is alot of work and I hope I can do something better and easy for me.

dnutan · February 2, 2020, 12:33am

@danb35 shall be able to guide you better through it, but I think acme-dns (or letsencrypt for internal servers) could serve you well.

danb35 · February 2, 2020, 1:36am

There are probably 100 ways to make this work, and the two @dnutan mentions are among them. There’s certainly no reason you should need to be manually doing stuff to deploy certs to sub1 and sub2. But to give a recommendation, we’re going to need to know a good bit more about the configuration. For starters:

What’s the network arrangement between the Neth box and the other two servers?
What environment are those two servers running? OS/web server/etc?
Which server answers requests for http://subdomain1.domain.com/.well-known/acme-challenge/something?

cazz · February 2, 2020, 12:26pm

Thanks for the replay
Well the network is very basic. I have a proxyserver (proxysrv) that run reverse proxy that take all my incoming 80 traffic from my two domain.
I have right now 7 rules that send them to each server that running some kind of service. But only two of them have “Force https redirect”.

Server 1 (cloudsrv) is going to my first domain that have a subdomain (cloud.domain.se) that go to a nethserver that running Nextcloud (thanks again here that I got it to work now).

The other server 2 (mailsrv) go to another domain and it subdomain (webmail.domain2.se) that running on a nethserver that have Email and webmail application.

danb35 · February 2, 2020, 12:52pm

Is proxysrv acting as your firewall, with cloudsrv and mailsrv both behind it? I’d kind of expect so. In that case, the simplest answer would be to not have certs on cloudsrv and mailsrv at all, and let proxysrv handle TLS termination for them. That means that traffic across your own network would be unencrypted, but that network is presumably secure anyway.

In any event, for proxysrv, simply request a cert through the GUI covering proxysrv, cloudsrv, and mailsrv. Neth will handle the rest and renew that cert automatically.

For cloudsrv and mailsrv, it’s going to depend on who you use for your DNS hosting. If your DNS host is supported by acme.sh (see https://github.com/acmesh-official/acme.sh/wiki/dnsapi), the easiest thing to do is described here: https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_for_internal_servers.

If your DNS host isn’t supported by acme.sh, you can use acme-dns instead. You’d install acme-dns on proxysrv, and it would act as a limited-purpose DNS server to serve the challenge tokens to Let’s Encrypt. You can then obtain certs on cloudsrv and mailsrv using certbot (with the acme-dns hook script), acme.sh, or any other client that can use acme-dns.

pike · February 2, 2020, 12:53pm

Server 1 and Server 2 shares the same public IP?

cazz · February 2, 2020, 2:58pm

Hmm ok. I was thinking about let proxysrv to control the two TLS but was not sure if that is possible. I just don’t want to have anything that say “this connection is not secure”.

I did forgot to tell something importen (sorry about that) and that is all my machine (server and client) run thru Pi-Hole to remove ads and that and Pi-Hole use Google DNS (And the address you show me they have support what I understand) but I can change to another Upstream DNS servers or skip Pi-Hole for proxysrv (and also mailsrv and cloudsrv)

cazz · February 2, 2020, 2:59pm

oh yes all my servers have one public IP

danb35 · February 2, 2020, 7:03pm

This really isn’t a factor; the question is who handles the authoritative DNS for your domain. If that isn’t with one of the providers listed for acme.sh, one option would certainly be to switch DNS providers–if you were to do that, I like Cloudflare, they’re free, and their API is well-supported by acme.sh. How your DNS is configured for your LAN really isn’t an issue at all.

cazz · February 2, 2020, 8:00pm

Ahhh ok then I understand. Hmm it is my webhost service that have my domain so I have to see what I can do. Maybe move over to Cloudflare

danb35 · February 2, 2020, 8:12pm

Keep in mind that you’re potentially using three distinct services:

Domain registration
DNS hosting
Web hosting

You may have all three of them with the same company, but they don’t have to be. DNS hosting is the only one that might need to be moved–but if you don’t want (or are unable) to do that, acme-dns remains a possibility.

cazz · February 2, 2020, 8:53pm

That is true
Domain registration is another provider
DNS hosting is another (Is there I point my domains to my public IP address)
Web hosting is same as my DNS hosting (I have three domain, one is my “real” one and that is connected to my web/mail hosting provider. The other two is just for fun to my own webservers.

cazz · February 2, 2020, 9:13pm

A little update. I have now read at my web/DNS hosting and they do have support for acme.
They have cpanel also to easy add TLS and to add to my domains.