So far this is what I did to get a Let’s Encrypt certificate, for this example I’m using internal.my.domain.com
as the internal server FQDN and proxy.my.domain.com
as the gateway/proxy server FQDN. Using the web UI:
-
On
internal.my.domain.com
go to [Network Services] -> [ httpd] -> [Edit] and allow the red interface. This also can be accomplish by creating a firewall rule (Allow port 80 from red interface to firewall), but it would be necessary to install theFirewall Base
module. It’s necessary to do this since we will receiving requests from internet (letsencrypt http API
). -
On
proxy.my.domain.com
go to [Port Forwarding] -> [ CREATE NEW] and
This will forward HTTP (port 80) requests from our public IP to our internal server, allowingletsencrypt http API
to reach our internal server. -
On
internal.my.domain.com
go to [ Server certificate] -> [ Request a new Let’s Encrypt certificate] -> [ REQUEST LET’S ENCRYPT CERTIFICATE], on this step you will get this error:ConnectionError: ('Connection aborted.', error(101, 'Network is unreachable')) ERROR:certbot.log:An unexpected error occurred:
I’m still trying to know why this happend, running:
# /usr/libexec/nethserver/letsencrypt-certs -v -e informatica@durerocaribe.cu -t -d ratatosk.durerocaribe.cu
Returns …
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/ratatosk.durerocaribe.cu/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/ratatosk.durerocaribe.cu/privkey.pem Your cert will expire on 2019-09-26. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. Restoring /etc/letsencrypt/ ...
I don’t know what happens when you hit [ REQUEST LET’S ENCRYPT CERTIFICATE] button, except that this command is ran:
# /usr/libexec/nethserver/letsencrypt-certs -v -e informatica@durerocaribe.cu -t -d ratatosk.durerocaribe.cu
@davidep could you please help me? The only way to go around this is by setting a firewall rule on the gateway/proxy server allowing
internal.my.domain.com
to red interface over HTTP. Only then I get a certificate. Also, this solution only works when you have only 1 internal server, for 2 or more it would be necessary to maybe set up a reverse proxy, but I haven’t find a way to properly do it.
Also, I think we might need to create a new thread for this situation, but I would leave this decision to a moderator.