-1

I have read many articles on certs on a subdomain, but I'm still confused.

My hope is someone can explain how this needs to be configured.

I have a production server (hosted VM) for my site (eg. https://www.example.com, ip: 1.1.1.1). I have an application that I host on a machine on my home network (eg. ip 2.2.2.2).

I would like a subdomain - dev.example.com - to point to 2.2.2.2 (I configured this with an "A" DNS record on 1.1.1.1 and this works properly).

However, I would like to use a certificate (Let's Encrypt) to be able to secure incoming connections to https://dev.example.com.

Here is what I would like to know:

  1. Is this possible?
  2. If so, should the cert be installed on 2.2.2.2? Does the cert need to be setup in a certain way?

I appreciate any articles or info.

Bonus question: Does the complexity of the setup in my home network matter? For instance: I have a router that directs port 80, 8080 and 443 to a VM web server. This server then use Proxy / Rev Proxy to redirect traffic - based on folders (eg. dev.example.com/app34) to the specific Application server (192.168.0.34). Will any of this affect the cert setup?

NEW2WEB
  • 119
  • 1
  • 6
  • The CA signed cert may not be the solution you are looking for. What happens when your ISP decides you should have a different IP address just now? It sounds like dev.example.com is not something you are serving for the general public, so you can accomplish the goal of encryption plus authentication by using TLS client certificates, and the IP address won't matter and doesn't require signed CA. – Paul Nov 12 '21 at 17:47
  • Thanks @Paul ! I'll look into TLS client certificates – NEW2WEB Nov 12 '21 at 17:53

1 Answers1

2

Is this possible?

Yes. Simply request a certificate from Let's Encrypt for dev.example.com. This can be verified using e.g. DNS challenge, or some other type. What matters is that you can respond to the challenge successfully, and you'll be handed a certificate.

If so, should the cert be installed on 2.2.2.2? Does the cert need to be setup in a certain way?

Probably. The alternative would be for all TLS traffic to be terminated on a reverse proxy at some other machine. But the most straight forward way is probably to terminate it at the machine that runs the actual server software.

There is nothing special to the certificate. There is no inherent difference between example.com and dev.example.com, or www.example.com; They are just domain names. Domain names are written in to the certificate.

IP's are not written into certificates. You can freely change where DNS points, and the certificates will continue to work.

Bonus question: Does the complexity of the setup in my home network matter? For instance: I have a router that directs port 80, 8080 and 443 to a VM web server. This server then use Proxy / Rev Proxy to redirect traffic - based on folders (eg. dev.example.com/app34) to the specific Application server (192.168.0.34). Will any of this affect the cert setup?

Whatever service that is expected to understand the traffic has to terminate the TLS session. This will in your case be the reverse proxy. Otherwise it can't decide where to forward traffic.

vidarlo
  • 6,654
  • 2
  • 18
  • 31