As I described in a previous post Apache: How to use reverse secure proxy to chain secure apache servers – updated I have a configuration of chained secure apache servers, where one of the servers provides https resources but also acts as a reverse proxy for another server providing https resources.
On the first server I use the one year free certificates issued by the StartCom Ltd. certification authority. The problem is you are limited to two host name certificates per domain.
Because of that and also as an experiment I decided to use on the letsencrypt.org free 90 day certificate for the 3rd site store.voina.org
I tried several of the options to issue certificates but the main problem I had was due to the secure reverse proxy I had configured.
I started with the tutorial from Certbot with Apache on Fedora 23+
STEP 1: Install certbot
As instructed I installed certbot from the FC 25 packages
dnf install python-certbot-apache
dnf install certbot
STEP 2: Try automatic setup
I first tried to use the automatic setup. This was not successful due to the fact my store is hosted behind a reverse proxy. Certbot complained all the time that I cannot issue a certificate for store.voina.org because the CA sees at the given IP only blog.voina.org. This is because when the CA was asking for a SSL certificate from my host (both store and blog point to the same IP in the DNS entry), my host was returning to the CA the blog.voina.org certificate not the certbot one that was hidden by the reverse proxy
STEP 3: Try the workaround setup
After some digging I found that the only effective method to issue the certificate is to suspend any apache server that may answer to the CA and let certbot client act as an http server and respond to the CA challenges.
STEP 3.1: Stop all the running apache instances on both the store server and the reverse proxy (blog server also)
On nas1 (reverse proxy and blog server):
service httpd stop
On nas2 (store server):
service httpd stop
STEP 3.2: Start certbot as standalone
On nas2 (store server):
certbot --standalone certonly --standalone-supported-challenges tls-sni-01
I answered to all the questions and asked for a certificate for store.voina.org. As a result I got a certificate, a private key and a full chain CA certificate generated under /etc/letsencrypt/store.voina.org directory
I still have to try to renew the certificate when it is going to expire and I guess the procedure will be also a manual one. I promise I will write a post when I will renew the certificate.
STEP 4: Add the certificate to the configurations
Copy the certificates on both nas1 and nas2. Note that it does not matter on which of the nas1 or nas2 servers I performed the STEP 3.2 command. Both servers are seen on the Internet at the same IP so letsencrypt cannot distinguish between them.
On nas1 apache configuration file add the new certificates to the SSL configuration of the store reverse proxy section.
On nas2 apache configuration file add the new certificates to the SSL configuration of the store section.
Restart apache on both servers nas1 and nas 2.
service httpd start
Go to store.voina.org and check the SSL certificate.
STEP 5: Renew certificates
To renew all the certificates just do:
certbot renew
This can be added also as a cron job to be run daily
[paypal_donation_button]
Note that the tls-sni-01 challenge was deprecated, for details see the following post https://blog.voina.org/use-letsencrypt-to-generate-a-wildcard-domain-certificate/
Pingback: How to evaluate your website from security/performance/value PoV – blog.voina.org