| View previous topic :: View next topic |
| Author |
Message |
l33tmmx
Tux's lil' helper
Joined: 12 Mar 2005
Posts: 111
Location: Pirkkala, Finland
|
 Posted: Mon Jan 29, 2024 12:18 pm Post subject: Moving from apache to nginx+apache |
 |
|
I'm moving my webserver from 'apache-only' to 'apache+nginx-as-reverse-proxy'-configuration. No major problems there, but I'm somewhat unsure about how to handle the certbot-managed certificates and related things during the change. The certbot documentation is a bit lacking on the subject.
The certificates are meant to be handled by nginx in the end.
Any suggestions? Or documentation I have overlooked?
_________________
"Trust me, I know what I'm doing!"
- Sledge Hammer |
|
| Back to top |
|
 |
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3139
|
| Posted: Mon Jan 29, 2024 12:56 pm Post subject: |
|
|
"Handle certbot-managed certificates" is quite a vague phrase. What is the thing that actually gives you troubles?
If you generate certificates using http challenge, I suggest you check out this undocumented (last time I checked) trick: https://forums.gentoo.org/viewtopic-p-8667849.html#8667849
Certbot also can run hooks, which you can use to change the format of certificates, concatenate leaf and chain, or even trigger nginx reload after getting a new certificate. Alternatively just put all those extras into crontab; it is a dumb idea, but it is simple and certbot will let you get away with it.
Also, certbot automagically creates links to the newest certificates, so there is no need to update any configs, just reload or restart services to start using new cert.
_________________
Make Computing Fun Again |
|
| Back to top |
|
|
Banana
Veteran
Joined: 21 May 2004
Posts: 1392
Location: Germany
|
|
| Back to top |
|
|
l33tmmx
Tux's lil' helper
Joined: 12 Mar 2005
Posts: 111
Location: Pirkkala, Finland
|
| Posted: Mon Jan 29, 2024 5:39 pm Post subject: |
|
|
@szatox: Thanks, I was mainly just wondering whether I could/should reuse the certificates. I think I'll now know how to proceed
_________________
"Trust me, I know what I'm doing!"
- Sledge Hammer |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21637
|
| Posted: Mon Jan 29, 2024 5:54 pm Post subject: |
|
|
| Generally, you should reuse the certificate in a case like this, since the underlying site is the same. I expect the certificates are reusable as-is, though it is possible that you would need to re-encode them if they are in a server-specific format. I cannot recall hearing of apache or nginx having a special encoding like that. |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3139
|
| Posted: Mon Jan 29, 2024 6:02 pm Post subject: |
|
|
In setups with reverse-proxy it's also quite common to just terminate ssl on the proxy and connect to the backend server without encryption. On a single machine there is pretty much no downside to that, since proxy and upstream can talk over loopback, and any attacker capable of snooping there will have easier and juicier targets.
_________________
Make Computing Fun Again |
|
| Back to top |
|
|
|
Networking & Security
