1

I have two VM's. One running LEMP and one running grafana.

I have configured nginx on LEMP to serve as a reverse proxy for various VMs in my lab including the VM with grafana.

It works great, but i would like to add Let's Encrypt SSL on the grafana host from outside, so grafana.mydomain.com is served on SSL.

I want to set up wildcard for *.mydomain.com so that in the future i can deploy new services and VMs that can be access via HTTPS from the outside. Is there a common practice on doing this? I'm not sure if i should install certbot and deploy certificate on the nginx host or on the vm running grafana. I tried both, and both failed. Altho i'm not sure if i missed a few settings on the grafana config f.ex. I can't find any guides that seem to provide the correct config setup afaik.

Currently i have tried installing SSL on both nginx reverse proxy host and grafana host for wildcard *.mydomain.com, which also adds to my confusion because it's now "doubled-up" with certs.

certs are stored under /etc/letsencrypt/live/mydomain.com

Not sure what else is relevant for information. But here is the nginx config stored under /etc/nginx/sites-enabled/grafana.mydomain.com:

server {
    server_name grafana.mydomain.com;

    # ssl on;
    # ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    # ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://10.0.0.113:3000;
    }
}

Note. I have commented out the SSL settings, as i am unable to reach grafana with this enabled when accessing from the outside.

SSL was deployed on nginx host with this command:

$ sudo certbot certonly --manual -d *.mydomain.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

In short words - Am i right that certbot and LE should be deployed on the nginx host. And no need for it on the backend host(grafana)? My guess is that the uncommented version of the nginx config posted above should work, but i'm missing some configsettings elsewhere.

user10059231
  • 11
  • 3
  • OK. So i found this in nginx error.log `2018/07/10 11:07:23 [emerg] 1630#1630: BIO_new_file("/etc/nginx/etc/letsencrypt/live/mydomain.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/etc/letsencrypt/live/mydomain.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)` I corrected to "/etc/nginx/letsencrypt...." and not seeing the error anymore. Still i get the same issues when trying to connect via HTTPS. – user10059231 Jul 10 '18 at 16:27
  • I can also see that connections are getting pass through my lab fw. – user10059231 Jul 10 '18 at 16:57
  • huh... looks like my connections are being blocked by UFW. `Jul 10 16:50:13 lemp01 kernel: [1567241.631952] [UFW BLOCK] IN=ens18 OUT= MAC=4a:b1:9f:a2xx:xx: SRC=XXX.XX.XX.X DST=10.0.0.111 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=48631 DF PROTO=TCP SPT=59985 DPT=443 WINDOW=0 RES=0x00 ACK RST URGP=0 ` – user10059231 Jul 10 '18 at 17:02
  • And problem fixed! nginx did not listen on 443. Added `listen 443;` in config file and it's working! – user10059231 Jul 10 '18 at 17:09

0 Answers0