0

Is it possible / advisable to register and renew a Let's Encrypt certificate through Nginx for https, and share that same certificate on a websocket connection (wss://) on the same domain? The websocket server is being ran off of node.js (Colyseus to be specific - which has Express built in)

If not, is it worth setting Nginx as a reverse proxy in front of the websocket server and setting the certificates that way?

And finally, if it is a good idea to just use one certificate and share it with the websocket server, what's the best way to get Express to reload the files when certbot renews the certificate? Can certbot inform the server it updated the certificates? Or do the files need to be reloaded at all

Jon
  • 103
  • 3

1 Answers1

2

Is it possible / advisable to register and renew a Let's Encrypt certificate through Nginx for https, and share that same certificate on a websocket connection (wss://) on the same domain? The websocket server is being ran off of node.js (Colyseus to be specific - which has Express built in)

Possible but not advisable: the advisable approach is to use industry-standard web-server in front as the reverse proxy, and the number one among those is nginx at the time of this answer. However, haproxy can also act as one.

If not, is it worth setting Nginx as a reverse proxy in front of the websocket server and setting the certificates that way?

Yeah, that's a recommended approach. Because, once again, you don't usually run peculiar applications bound to the HTTP/HTTPS port directly: this forbids you from various types of important functionality. Seamless reload on the certificate renewal is one of them.

And finally, if it is a good idea to just use one certificate and share it with the websocket server, what's the best way to get Express to reload the files when certbot renews the certificate?

Basically you just run certbot renew (crond runs it for ya) and just tell the nginx to refresh it with nginx -s reload.

Can certbot inform the server it updated the certificates?

I'm unaware about this, but this mechanism is not really needed anyway - with LE certificates this should happen only once in 3 months, so ...

Or do the files need to be reloaded at all

Sure they do. How can they not be - they are loaded only once on the start of web-server.

drookie
  • 8,625
  • 1
  • 19
  • 29
  • Thank you for the answer. I have one more question though - is using nginx as a reverse proxy going to add a delay or increased packet size to / from my websocket server? The ws server is for a game where even 50ms more latency would be bad. Also for the record I was running, and was planning on continuing to run the ws server on port 2537 (iirc, definitely not port 80) – Jon Mar 19 '22 at 14:47
  • 1
    It will add some additional delay for sure, but we are talking about the delay around millisecond or it's fraction. To add 50 ms millisecond delay your reverse proxy will have to reside in another datacenter several thousands kilometers away from your node.js instance. – drookie Mar 19 '22 at 16:30
  • 1
    And nothing will happen to the packet size. It will effectively be of the same size. :) – drookie Mar 19 '22 at 16:30