3

I have a server set up with some virtual machines behind a nat. I want to use encryption for my xmpp-server-vm, and therefore need a certificate inside the vm. Is there a possibility to use nginx as a reverse-proxy so i can run letsencrypt and get/renew the certificates on the vm with the xmpp-server and keep the private key on that machine? I can't use nginx as TLS termination proxy because my vm should not have access to the reverse proxy itself, which would be needed because the xmpp-software needs access to the key.

Edit:

I made a schematic of what i want to do:

enter image description here

My basic problem is, i do not know if letsencrypt works behind a reverse proxy with server name indication enabled, so i can get a certificate inside my xmpp-server-vm to encrypt the xmpp traffic.

Frederik
  • 3,359
  • 3
  • 32
  • 46
user393856
  • 185
  • 3
  • 15
  • Your question is confusing. Can you provide a diagram of your network and server architecture, and perhaps edit your question to make it more clear? Nginx and Let's Encrypt work fine together, but I don't understand your question. – Tim Jan 07 '17 at 05:49
  • @Tim It looks like he has one global IPv4 address, and so he has forwarded ports 80 and 443 to one VM, and port 5222 (XMPP) to another VM. Now he wants the XMPP VM to be able to use letsencrypt certificates which get fetched (somehow) via the other VM, because certbot uses ports 80 and 443. – Michael Hampton Jan 07 '17 at 17:41
  • @MichaelHampton that is almost what i wanted to say. The only difference are that i want to use a reverse proxy for the http/https ports, because i have more than one vm which uses http, and i have to get the key and the certificate onto the virtual machine running the xmpp server, because it needs direct access to it. – user393856 Jan 07 '17 at 17:48
  • Have you considered deploying IPv6? It would eliminate this problem and the xmpp VM could get its own certificate directly. – Michael Hampton Jan 07 '17 at 17:49
  • I haven't. That ist quite a good idea. However i'll need to find out more on how to get ipv6 running in parallel with my current setup, because it has to stay available via ipv4. – user393856 Jan 07 '17 at 17:56
  • Looks like a sub-optimal setup to me. Why is iptables out front? Put Nginx there and I think all your problems can be solved easily. – Tim Jan 07 '17 at 21:02
  • @Tim iptables does port forwarding for xmpp because, to my knowledge, nginx does not support xmpp (except a discontinued fork: https://github.com/robn/nginx-xmpp). – user393856 Jan 07 '17 at 22:56
  • I wonder if HAProxy or something else can sit out front, passing requests to whichever server needs to terminate the request at the TCP level, not terminating SSL. – Tim Jan 08 '17 at 03:47
  • @Tim i think you can do this with http, if the proxy supports http connect tunneling. But i don't know if there's a similar thing for xmpp. – user393856 Jan 08 '17 at 16:56

3 Answers3

1

Let's Encrypt allows other forms of challenge/response methods, other than HTTP-01. certbot implements this through additional flags on the command line:

certbot -h manual

DNS-01 requires insertion of the challenge in a TXT record in your DNS records, and requires a DNS server / hosting provider that let's you do this via a script. It's doable, but quite a bit of work.

I successfully use DNS-01 to provide 40+ hotspot systems with multiple certificates. A Command And Control host runs certbot and retrieves all certificates for domains that match a profile at the DNS provider. The hotspot fetches the certificate and key from the Command And Control host through scp.

Coroos
  • 163
  • 5
1

I managed to get this working by a very simple solution allthough this was not what i originally had in mind. I run letsencrypt on the host OS and copy the private key and certificates into the vm via ssh.

user393856
  • 185
  • 3
  • 15
0

The solution you provided appears to be far from ideal. Is there a good reason why you don't run certbot on the reverse proxy? Your description implies that everything behind the reverse proxy is on a private network - it may be safe to turn off validation of the origin certificate on the proxy.

symcbean
  • 21,009
  • 1
  • 31
  • 52