0

I'm trying to setup a two server system, where one is doing webhosting and the another is delivering content (CDN) for the webhost server.

I currently own two servers and they both have Let's Encrypt SSL.

webhost https://example.com

example.com 123.123.123.123

CDN https://foo.com

foo.com 111.111.111.111

I have setuped a subdomain to my webhost server: cdn.example.com, which is pointing to the CDN server foo.com 111.111.111.111.

The problem is that the cdn.example.com does not have Let's Encrypt SSL.

How can I get the Let's Encrypt SSL for the cdn.example.com which is pointing to the foo.com 111.111.111.111?

When I run:

certbot --apache --cert-name example.com -d cdn.example.com

It gives an error:

Failed authorization procedure. cdn.example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cdn.example.com/.well-known/acme-challenge/PaKenmvAqHoOdOBUhThxxxxx: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: cdn.example.com    Type:   unauthorized    Detail: Invalid response from    http://cdn.example.com/.well-known/acme-challenge/PaKenmvAqHoOdOBUhThxxxxx: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not    Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was    entered correctly and the DNS A/AAAA record(s) for that domain    contain(s) the right IP address.

Running default Debian and Apache2 installation.

I guess I have to manually set the acme-challenge files in my CDN server? What commands should I run?

user49087345
  • 3
  • 2

2 Answers2

0

In order to achieve what you want: you can copy the SSL configuration of the CDN domain(https://foo.com) and edit it for the domain cdn.example.com; just replace the traces of foo.com with cdn.example.com.

I can't give any more detail on the process since I don't know your server configuration.

However, as a suggestion(since I don't know your exact requirements), it seems to me like you aren't really in need of a separate domain for your CDN. On the other server, you can simply create a configuration for cdn.example.com.

Can Sürmeli
  • 173
  • 1
  • 14
  • By copying the SSL configuration you mean what? Copy the SSL configuration files from the CDN server to the webhost server? Or just make a local copy and edit the domains? I don't know how to do this, where these configuration files usually are? I'm running apache2 and Debian in both servers. – user49087345 Nov 15 '18 at 13:55
  • Then how did you setup your servers? Have you followed along a tutorial such as one from Digital Ocean? I need a bit more about your server configuration. – Can Sürmeli Nov 15 '18 at 14:08
  • Both servers have default Debian install. Only thing I've done is that I've installed PHP and Apache2 in both of them. After that, I ran Let's Encrypt commands in both of my servers for obtaininig SSL certificates for them (```sudo certbot --apache certonly```). – user49087345 Nov 15 '18 at 14:11
  • Is there a specific reason(e.g. redundancy) to have two separate servers? – Can Sürmeli Nov 15 '18 at 14:16
  • The CDN server has large storage and huge bandwidth, whereas the webhost server has tiny SSD storage and fairly low bandwidth. That's why I need the CDN server, to host and serve data. – user49087345 Nov 15 '18 at 14:18
  • Alright, got it. What I meant on my answer is that grab the Let's Encrypt certificates along the Apache configuration from your CDN server and bring them to your other server. And edit them according to your subdomain. However, it seems like you don't have much experience with managing nix environments. Therefore I'd like to point you to the following two tutorials for assistance on how to properly manage your situation. Afterwards, with my above scenario, you should be able to accomplish what you want. – Can Sürmeli Nov 15 '18 at 14:25
  • https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-debian-8 – Can Sürmeli Nov 15 '18 at 14:25
  • https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-8 – Can Sürmeli Nov 15 '18 at 14:25
  • Now I actually figured out what you meant! Thanks, I will do some testing now, I will let you know if I'm able to achieve what I want. – user49087345 Nov 15 '18 at 14:38
  • My problem is now that webserver's (example.com) apache configurations for the subdomain (cdn.example.com) are completely ignored, since the DNS record is pointing to the CDN server (foo.com). If I point the cdn.example.com DNS record to webhost server (example.com instead of foo.com), the subdomain works normally like any other subdomain, meaning it does not use the CDN server (foo.com). – user49087345 Nov 15 '18 at 14:52
0

The short answer is "You don't". You don't need SSL on your secondary host (foo.com).

Here is all you need to do:

  1. Generate SSL for cdn.example.com
  2. Setup reverse http proxy on your cdn.example.com. So that all HTTPS requests will be provided with valid ssl from cdn.example.com, but the content would be served using HTTP content of http://foo.com

Apache configuration: https://www.digitalocean.com/community/questions/apache-proxypass-and-reverseproxy-to-a-ssl-https-configured-domain

Here is example on how I would do it using NGINX:

server  {
    listen  443 ssl;
    server_name  cdn.example.com;
    ssl  on;
#BEGIN OPTIONAL--in case you want to have more stats on foo.com
    proxy_set_header Host            $host;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header ClientIP $remote_addr;
#END OPTIONAL--
    ssl_certificate /etc/ssl/cdn.example.com.pem;
    ssl_certificate_key /etc/ssl/cdn.example.com.key;
    location  / {
            proxy_pass  http://foo.com:80/;
    }
}
Dmitriy Kupch
  • 471
  • 2
  • 6