Letsencrypt for internal servers using cloudflare dns, ddns and nethserver-nginx as reverse proxy

Good Morning, Everyone.
I’m writing this to ask help with this setup: Letsencrypt for internal servers using cloudflare dns, ddns and nethserver-nginx as reverse proxy.

I’ve been a bit intimidated by this because I’m trying a setup that I’m not very familiar to configuring. I’m using NethServer 7.9.2009 on a protectli vault that I’ve got configured as a gateway with one interface going to an 8 port switch and one interface to an internet gateway that has the protectli in the DMZ.

I use namecheap ddns an made a wildcard ddns record. to point my domain name to my Nethserver.The nethsever apache page is reachable. I used cloudflares dns to take advantage of the api and letsencrypt. I’m trying to setup nethserver-nginx as the reverse proxy and I’m confused about a couple of things:

1. When I go to System → Services, Why can I not choose to release ports 80 and 443 from the Apache HTTPD and add to the Nginx service? I’ve disabled the apache webserver and removed the networks but that was all I could do. Everytime I try to change the ports on those two services, the tcp and udp fields are greyed out and If I mouse over them I get a red cross.

2. in /etc/nginx/conf.d/ I’m supposed to put my conf files, but I’m unaware of what the names of the files are! Is the name of the file with the server blocks called virtualhosts?

3. I tried to follow this article: userguide:let_s_encrypt_for_internal_servers [NethServer Wiki] but I get stuck at configuration.

when i issue the command “config setprop pki CrtFile /etc/pki/tls/certs/cert.crt”
bash returns: “config: command not found”. What package have I failed to install?

I’ve been trying to follow these examples on the Neth wiki and I’ve been searching around on the forum. I’m asking for help in hopes that someone can help an intermediate linux user who’s trying to learn more.

To whomever answers, thank you for your input.

m3shguy

@m3shguy

Hi

And welcome to the NethServer community…

Any specific reason for using nethserver-nginx as a reverse proxy?

I’m using the built-in reverse proxy (It’s based on apache, but works out of the box, so who cares?) in NethServer for myself and 30 of my clients…
This just works - without making a brick out of your NethServer…

And you do not need to use any commands on the CLI for it to work!

My 2 cents
Andy

@Andy_Wismer
Andy,
I really love that reply. for one, I’m of the mind to work smarter not harder, and I have infact tried to use the reverse proxy included, I just thought that using nethserver-nginx package would be a more secure option and that there’d be configuration options in the nethserver dashboard. The other thing is I want lets encrypt on my internal servers and i had problems using the letsencrypt cert creator under certificates.

Do you have a better suggestion?

Thanks for welcoming me, by the way.

Hi

This morning, I wrote to another guy here in the forum (As a PM, not visible for everyone…):

If the nethserver is already entered in with the official DNS, you do not need to change anything there…

Do you use a correct DNS domain (fqdn) for your NethServer?

If yes, that’s all you need!
Open Ports 80, 443 to the NethServer and enable the LetsEncrypt cert!

This will work for the NethServer itself.

If you need to use the LE cert on “other” internal servers, that’s also quite possible…

Here is an example from my home:

I have an OPNsense box as firewall, not my NethServer.
OPNsense forwards ports 80 & 443 to my NethServer, which handles SSL for all internal stuff as well.
My PI-Hole is running as a LXC Container on my Proxmox, using the internal IP 172.25.75.29, my NethServer uses the IP 172.25.75.20.

This is whats needed:

A DNS alias in NethServer for that “external” host.
here, I use pi-hole.r7.anwi.ch.

Bildschirmfoto 2022-02-22 um 15.25.392374×1340 216 KB

The real fqdn of my PI-Hole is awr7-pi-hole.r7.anwi.ch, I use this eg to update my pi-hole with ssh…
I also have the external DNS point pi-hole.r7.anwi.ch to the external IP of my OPNsense.

Then lastly, a LetsEncrypt request including the PI-Hole.

Bildschirmfoto 2022-02-22 um 15.25.531194×1230 114 KB

And this is the reverse proxy entry in NethServer:

Bildschirmfoto 2022-02-22 um 15.20.541194×1308 109 KB

If you want to see this for yourself, be my guest:

https://intranet.r7.anwi.ch/

At home, I have a dynamic IP. I have a paid account at dyndns.org, now part of Oracle.
I point the dns name gw.r7.anwi.ch to my DynDNS name.

All the rest are actually cnames pointing to gw.r7.anwi.ch…

Hope this helps understandabilty!

My 2 cents
Andy

Wow, Andy…That’s EXACTLY what I’m trying to do, I just thought that I could get away with making a wildcard, but I know that’s not supported. thanks, and I’ll try this later when I return from work.

Many thanks.

m3shguy

@m3shguy

It’s also possible, to use the same LE cert for other servers directly.

One of the special cases is the NethServer AD. The AD runs as a sort of container in NethServer, with it’s own IP. As such, it uses it’s own self created SSL cert for the AD-LDAP.

Not all applications are created equal…
Especially PHP and JAVA applications tend to be fussy, when connecting to AD for users/groups:
The AD must have a valid SSL cert…

You can use this:

==== Install LetsEncrypt SSL in AD ====

Create the needed script in the right directory:

Contents:

#!/bin/bash
cp -f -p /etc/pki/tls/certs/localhost.crt /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
cp -f -p /etc/pki/tls/private/localhost.key /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 600 /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 644 /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
systemctl -M nsdc restart samba

Exit with ‘‘CTRL-x’’, save with ‘‘y’’.

Set executable permissions on the script:

chmod 750 /etc/e-smith/events/certificate-update/S80push2ad

Then run the script at least once:

cd / \
/etc/e-smith/events/certificate-update/S80push2ad

I’ve also used this eg for getting the AD ssl cert into OPNsense, for use for the OpenVPN connection…

This works, this method is known as a software hook - it “hooks” in (or kicks off) when triggered. Read the path name to understand when it’s triggered!

My 2 cents
Andy

config is /sbin/e-smith/config
The config command comes from the nethserve-lib package, it’s a core package, you can’t have NethServer without it.
Maybe you “adjusted” the PATH variable.
Default is /sbin/e-smith:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/puppetlabs/bin:/root/bin

I’m going to guess that you logged in as a non-root user, and then used su to become root–am I right? If so, that’s your problem–when you use su to become root, you don’t get root’s login environment, and /sbin/e-smith isn’t in a normal user’s path (but it is in root’s path). To avoid this, rather than using su, use su -.

No, I’d tried it as root.
@filippo_carletti I wasn’t aware of that tool in that path.

@Andy_Wismer @filippo_carletti @danb35
I really want to let you all know that I really appreciate your efforts in helping me to figure all of this out. You don’t know what this means to me. I’ve been working on putting this open source stuff together for years, and Nethsever was the first one that I’d landed on, I just hadn’t been confident enough to configure this stuff and too afraid/ashamed and maybe a bit too proud to ask.

I started working with Nethserver back in 2015 or 2016 but ended up experimenting with ClearOS(hated it) Univention Corporate Server (love it, but it lacks the firewall/gateway functionality) and proxmox. I’d tried to run the pdc image from tkl.org but had some problems with that, also was virtualizing pfsense, but I felt insecure about not using it bare metal.

Nethserver has everything I could ever want and need. It’s got so many features and an AWESOME community. I’ve never felt like I could learn so much in so little time.

I really appreciate the help, and I’m wondering if there’s a need for more documentation? I’d love to write some, and I’m also wanting to do videos of installs and configurations of Nethserver + other linux server distros. Is there a need for more of that in this community?

Hi @m3shguy

Documentation is a bit like backups: More is almost always MUCH better!

And, @m3shguy, don’t forget our Motto here on the NethServer forum:

The only dumb questions are those not asked!

My 2 cents
Andy

@m3shguy

Hi

Besides here in the forum (lots of dokus & how-tos) we also have the Wiki ( start [NethServer Wiki] )…

In both places I think I speak for all Nethserverians and our little team of volunteers here: Good Documentation is always welcome, so are good how-tos and also you-tube vids.

There are also a lot of additional dokus floating around, often on member servers here…

My 2 cents
Andy

That’s how I do it currently so my routers and printers have certs

Andy,

I saw your post about that lets encrypt script for the ad certs, and I was wondering about my setup. I have another nethserver installation on another machine and I’m trying to add the certs to that. I wanted to know if I should copy the same path that I have on the main NS installation? if I do that and restart httpd on the second NS machine, will it work? I noticed in the cert manager in neth seems to not upload my le certs and it’s only asking for 3 when there’s 4 files. Do I need to run certbot on the second machine after copying the certs as well?

Hi

Best would be to create SSH-Keys on both NethServers.
Than a simple extension of the script above, which copies the Certs over and restartes the service, like on tha AD script itself.

My 2 cents
Andy