[sdnog] Let's Encrypt behind reverse proxy
Tareq Fatehalrahman
tarig134 at gmail.com
Mon Apr 1 10:09:47 SAST 2019
Greetings Zainelabdeen,
If I understood you correctly, you have two different web servers
with two different names sharing one public IP address behind a reverse
proxy.
You can use the pfsense as the SSL termination and put the certificate on
it. I think you can issue one certificate with both names, you will have to
use the *(-d )* flag. This link can be helpful to understand the command
line options
https://certbot.eff.org/docs/using.html#certbot-command-line-options
If this is not acceptable, you should try to find a way for the back-end
servers to issue their certificates. You will have to make sure that they
can resolve names (they need to connect to Let's Encrypt servers). Also
make sure to forward port 80 on the pfsense to each server depending on the
requested domain, it is used for the verification. This way should work and
you will be able to issue separate certificates on each server following
the known instructions. It is recommended to use certbot
https://certbot.eff.org/
Regards,
Tareq Fatehalrahman
On Sun, Mar 31, 2019 at 11:16 PM Zainelabdeen S.A Elgraeed <
zainco30 at gmail.com> wrote:
> thank you mahmmoud ahmed,
> my situation to provide SSL to internal web servers that have different
> names shared the same public IP address throw pfsense reverse proxy,
> I was tried to config ACME package put didn't work.
> is it possible to do this? and how?
> throughout my search, all blogs and tutorials provide SSL to pfsense
> itself or created web pages inside pfsense.
> later I tried to config certbot inside internal web server but it not work.
> next step to make a cluster and load balancer for it
>
> On Sun, 31 Mar 2019 at 20:46, mahmmoud ahmed <mohd_ibrah_ahmed at hotmail.com>
> wrote:
>
>> Dear Zainelabdeen
>>
>> Greetings ,,
>>
>> Its look like you have two or more severs and your using HA-PROXY to make
>> load balancing between servers , and its also look like application servers
>> using https :443 , so It preferable to use Lets encrypt certificate in
>> Pfsense which suppose to be your gateway and mention public ip address to
>> the DNS , I was done this scenario before to E-payment company in Sudan .
>>
>>
>>
>>
>>
>>
>> Thanks
>>
>>
>>
>> Mahmoud Ibrahim Ahmed
>>
>>
>>
>> *From: *Zainelabdeen S.A Elgraeed <zainco30 at gmail.com>
>> *Sent: *31 March 2019 21:43
>> *To: *Sudan NOG <sdnog at sdnog.sd>
>> *Subject: *[sdnog] Let's Encrypt behind reverse proxy
>>
>>
>>
>> hello, I am asking for help
>>
>> how to configure let's encrypt for a web server on this environment:-
>>
>> - ESXi virtualization.
>>
>> - pfsense firewall for use as a reverse proxy with haproxy.
>>
>> - a single public IP address.
>>
>> - outsource DNS server.
>>
>>
>>
> _______________________________________________
> sdnog mailing list
> sdnog at sdnog.sd
> https://lists.sdnog.sd/mailman/listinfo/sdnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sdnog.sd/pipermail/sdnog/attachments/20190401/ded0b847/attachment.html>
More information about the sdnog
mailing list