0

I am looking for a solution to provide a webapplication running on our local network under a subdomain via SSL. We dont want to use a DynDNS but a subdomain of our own domain.

Our current setup

Root Server (internet)

We have a root server with ubuntu 16.04, apache 2, hosted at a data center where our domain example.com and all subdomains terminate.

<VirtualHost *:443>
        ServerName SUB.EXAMPLE.COM
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN On
        SSLProxyCheckPeerExpire On
        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>
                ProxyPass / https://PUBLICIP:9443/
                ProxyPassReverse / https://PUBLICIP:9443/
</VirtualHost>

Application Server (local)

Debian with apache 2

<VirtualHost *:9443>
        ServerName SUB.EXAMPLE.COM
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/MYAPP
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        <IfModule mod_headers.c>
           Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
        </IfModule>
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/SUB.DOMAIN.COM/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/SUB.DOMAIN.COM/privkey.pem
</VirtualHost>

Research so far

  1. I know that the configuration on the root server is wrong, because I do not provide a certificate there, see Questions.
  2. Most solutions I've found yet are about SSL Handling from the reverse proxy (our root server), but the connection between both servers is not via ssl (e.g. because they are in the same network, so it not neccessary). Though we need it, because otherwise the communication between root server and application would not be encrypted.
  3. The firewall allows access on Port 9443, so when trying to access https://PUBLICIP:9443 I get NET::ERR_CERT_COMMON_NAME_INVALID (which is correct, because the cert is for SUB.EXAMPLE.COM).

Questions

Do I have to get 2 certificates? One for SUB.EXAMPLE.COM on our root server and one for our PUBLICIP (which is afaik not possible via Letsencrypt). Or is there any other way to fix that (without setting up a DNS)?

drohhyn
  • 1
  • 2
  • 1
    How are users (and for users I mean browsers and stuff) supposed to TRUST your web-server, if the certificate is for sub.domain.com but your web-server does not have a domain name? - Indeed, i'd like to know if there are ways to achieve this result because I do own too a couple of server without domain name where i'd like to install a certificate, but simply can't. – aPugLife Mar 06 '18 at 10:14
  • In my understanding, users (browsers) don't have to trust the local application server. Only the root server has to trust it and the root server has the certificate for the browsers. But when I obtain the SSL cert on my root server, which cert should I use on the application server => Back to the question: do I have to get 2 certs? – drohhyn Mar 06 '18 at 11:03
  • why don't you use hostname for the backend proxy directives?, you want to check backend cert since you have set the options manually to on, so use them, if not set those options to off to not check the CN and keep using the ip. Anyways you can use the same cert on both if both use the same servername, there is no issue here. – Daniel Ferradal Mar 06 '18 at 11:10
  • Also remove ` Order deny,allow Allow from all ` Order/Allow/Deny/Satisfy are 2.2 directives, and you don't need "Proxy *" since that is mostly for forward proxying. – Daniel Ferradal Mar 06 '18 at 11:10

1 Answers1

0

So my solution was to use the same cert on both servers and the following virtual host config on the root server:

<VirtualHost *:443>
        ServerName SUB.EXAMPLE.COM
        ProxyPass / https://PUBLICIP:9443/
        ProxyPassReverse / https://PUBLICIP:9443/

        SSLCertificateFile /etc/letsencrypt/live/SUB.EXAMPLE.COM/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/SUB.EXAMPLE.COM/privkey.pem

        Include /etc/letsencrypt/options-ssl-apache.conf

        SSLProxyEngine on
        SSLProxyCheckPeerCN Off
        SSLProxyCheckPeerName Off
        SSLProxyCheckPeerExpire On

</VirtualHost>
drohhyn
  • 1
  • 2