Hello, do you already have a solution and are you satisfied?
Otherwise, I’ve recently thought about using an NGINX as a reverse proxy for forwarding the certificate request.
I’ll just put it here, maybe it will help others:
As part of the Nethserver7 > Neth8 conversion preparations, I designed my OpenWRT router (in my case as software, but of course it also works as hardware) so that it forwards the relevant requests via port 443 as an NGINGX “reverse proxy” to the individual WebVMs. This works well, but doesn’t solve the problem with the certificates.
Step two was setting up an ACME under OpenWRT as a central certificate manager and integrating the certificates into the relevant proxy connections. This also worked quite well, including for the forwarding to SOGo on the Nethserver7.
When the certificates on the Nethserver expired, I was reminded that the Nethserver7’s own Dovecot also needs a fresh certificate every now and then - otherwise it complains quite a bit in the mail client.
Unfortunately, I was not able to connect the OpenWRT to the mail server connections because the precompiled NGINX lacks a required module (mail).
My solution was ultimately to create appropriate port 80 forwarding on the NGINX so that certificate requests from the own network (behind) the OpenWRT are also forwarded to the respective ACMEs in the own network. This means that devices in the back network now get their own certificates from Letsencrypt and I am spared the (manual or automatic) copying.
Something similar will definitely work in OpneSense, provided it has a manually configurable reverse proxy.
In my NGINX (under OpenWRT) it worked like this:
Install Nginx on OpenWRT
opkg update
opkg install nginx-all-module
Configure Nginx
nano /etc/nginx/nginx.conf
insert the following content (some settings may be important for other redirects):
user root;
worker_processes auto;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# SSL Configuration for wolfSSL
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:!aNULL:!MD5';
ssl_prefer_server_ciphers on;
client_header_buffer_size 16k;
large_client_header_buffers 4 32k;
# Include additional configuration files
include /etc/nginx/conf.d/*.conf;
}
Set up forwarding for certificate request:
nano /etc/nginx/conf.d/sub1_externdomain_tld.conf
insert the following content:
server {
listen 80;
listen [::]:80;
server_name sub1.externdomain.tld;
# ACME Challenge
location /.well-known/acme-challenge/ {
proxy_pass https://host1.interndomain.internal;
proxy_set_header Host host1.interndomain.internal;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
}
}
Test the configuration:
(NGINX must be able to resolve the name of the target host, otherwise the service will not start)
nginx -t
Restart NGINX:
service nginx restart
It wasn’t much more than that. Of course, this also works for different domains as long as you create a redirect for each one.
IMPORTANT to know:
If the retrieving server is retrieving combined certificates for multiple domains (like Nethserver 7), the redirect for the “main domain” would be as above. For the additional domains, the redirect is subtly different:
nano /etc/nginx/conf.d/sub2_externdomain_tld.conf
insert the following content:
server {
listen 80;
listen [::]:80;
server_name sub2.externdomain.tld;
ACME Challenge
location /.well-known/acme-challenge/ {
proxy_pass https://host1.interndomain.internal;
proxy_set_header Host host1.interndomain.internal;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Check:
nginx -t
Restart NGINX:
service nginx restart
Good luck!
Regards Yummiweb