Copy SSL to another Server

Discussion in 'General' started by GCCM, Aug 28, 2021.

  1. GCCM

    GCCM New Member

    Good Day Community

    I got a question about SSL Certificate (LE).
    Actually i have an Ubuntu 20.04 with current Version of ISPCONFIG 3. It is running with Apache2.
    Now i got another Server for another application. So i created a website and configured as Proxy and secured with SSL (LE). That's working fine. But now the new Application got some "Slave" Servers and want to use SSL. So i tired to use a self signed certificate like i do with Exchange Server. But the "Slave" Servers do not accept it cause there is another Cert than the public from ISPCONFIG 3. so i thought solution:
    Just copy automaticly the LE Cert etc. to the other Server and use it.

    But i do not know how to automate this? Both Server are Ubuntu Server 20.04. So i tried with "scp". But there always "permission denied".

    Maybe someone here got any idea?

    Passtrough over proxy seems also do not work.. I always got 2 different failtures.
    1. ISPCONFIG3 do not passtrough the .well-known...
    2. ISPCONFIG3 if it passtrough it, i see another domain for example my exchange Server and not the Server i got on proxy.


    Thank You.
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    If you are proxying a website to another server, you can setup the ssl certificate in the first server, eg. using letsencrypt, and use a self-signed certificate, it even no certificate on the second server.

    If you post the proxy config you have, it may be more clear why the would be a problem.
     
  3. GCCM

    GCCM New Member

    Hi

    Thank you.

    It is required by the Panel on slave and other server that i need to have the certificate there.

    i have this:
    Code:
    RewriteEngine On
    ProxyPreserveHost On
    ProxyRequests Off
    RequestHeader set X-Real-IP %{REMOTE_ADDR}s
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader unset Accept-Encoding
    TimeOut 1800
    SSLProxyEngine On
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    ProxyPass / https://192.168.49.49/
    ProxyPassReverse / https://192.168.49.49/
    AddDefaultCharset ISO-8859-1
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
    But it doesn't care ISPCONFIG if i just put in like this:
    Code:
    RewriteEngine On
    ProxyPass /.well-known
    ProxyPass / http://192.168.49.49/
    ProxyPassReverse / http://192.168.49.49/
    ProxyPreserveHost On
    ProxyRequests Off
    RequestHeader set X-Real-IP %{REMOTE_ADDR}s
    Note: Ispconfig 3 running on Apache 2, the server behind is a NGINX (if it need to be configured different)
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You will be terminating an ssl session from the client on the first server, so it will need to have the/a ssl certificate there, whether or not the second server uses one.
     
  5. GCCM

    GCCM New Member

    Yes that is correct. But anyway the second server need a certificate or the panel would not work.. So i need to deploy there the public certificate but do not know how to ccopy it to this or how to tell ISPCONFIG "please forward the full traffic to this server that it can do a own LE certificate"
     
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    If your servers are behind nat router or something similar your option is limited to dns challenge, proxy, nfs or lastly copy ssl as you are trying to do.

    The command scp should work if you do it right even via bash script provided always servers must have ssh access to each other as described in several howtoforge tutorials and guides.

    If other servers are not mainly web servers, and you need the LE certs mainly to secure that other servers amd their services, to me using dns challenge is the best option.
     
    Jesse Norell likes this.
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    So to reword that, you want ISPConfig to handle the letsencrypt certificate verification for a certificate on the first server, and also forward letsencrypt verification requests to the second server for it to also perform verification - and you can see difficulties there. The easiest solutions would be those @ahrasis mentioned (dns challenge, use a network filesystem to share the acme challenge folder, or copy certificate from server 1->2 after issue), or get another public ip address for your second server.
     

Share This Page