Squid Reverse Proxy and LetsEncrypt - Help a noob out?
-
Bump No. 1
-
What I did, was to setup a single certificate with multiple subject alternative names in it for your backend systems. You will then assign this certificate to your reverse squid configuration in the "Reverse SSL Certificate"
section.
I hope that helps. -
Hello - yours problem that you try to receive certificate from LetsEncrypt on port 443 where now you havent valid certificate!
You need do this on 80 port and on pure HTTP
Look:
"[domain].com: Verify error:Incorrect validation certificate for tls-sni-01 challenge. Requested 1f67d9d9124368539bcbe489de7c03b9.28cb710e0ebb36121c6f1cb0077c3b67.acme.invalid from xx.xx.xx.xx:443. Received 3 certificate(s), first certificate had names "
P.S.:- you must check box Disable webConfigurator redirect rule on System=>Advanced=>Admin Access because it occupies 80 port that you need
- you must open 80 and 443 ports on firewall on that WAN interface you need to accept requests
But how I figure out now ACME.sh LetsEncrypt packet with version 0.1.20 have bug and cat receive new certificate from any http method on pfSense, only from DNS method. But after you receive cert you can succesful use http or https method to renew your certificates. You can read my research at https://forum.pfsense.org/index.php?topic=138366.msg757153#msg757153
-
Had any luck working on this exact scenario now. I validated my cert using my external web host then redirected it back to my external IP but I get a ERR_SSL_PROTOCOL_ERROR now.
-
you must use 80 port and http, why you all guys try use ssl when you haven't it?
-
My cert is verified
Still running 2.1.5 planning on upgrading soonSince I'm using my hvac.domain.com cert for the reverse ssl certificate how would I get it working for main.domain.com? Am I going to need a wildcard certificate to get it working?
-
why you write about your Squid Reverse Proxy in post about Squid Reverse Proxy+LetsEncrypt?
P.S. Yes you need or another cert, or wildcard, or multidomain cert. -
Because I'm using letsencrypt I just found one of my issues was the CSR created by my app was messed up. I let letsencrypt create it and now its working externally when just nat port 443 open. Still havent add any luck getting it to reverse proxy 443 with the updated cert.
Can you use multiple certs with the reverse proxy since you have to define one for the reverse proxy? Or do I just need to use a wildcard there and internally use the specific name cert i.e. "hvac.domain.com"
-
I really do not understand want at end…
-
Ok, so I think I'm finally understanding where I was messing up in my squid RP logic. I was under the impression that each web server would be encapsulating their traffic into their own Let's Encrypt certificates, then forwarding that traffic to the RP server, which would then encapsulate it with its own certificate.
So… with that said, I now have another issue, which is that at least a couple of my services (OpenCloud being the main one) have https, server checks inbedded in the system, and will throw errors if not encrypted properly. Is there any way to set an end-to-end encryption path for apps like this, and really for any other http service I may have running? (I don't really like the idea of my passwords floating around on my lan between servers that much). Is there a setting in Squid Reverse Proxy for an upstream, either self-generated or squid generated certificate?
