How to get two trusted certificates, on two servers, behind 1 IP?

Aart_Jansen · September 4, 2020, 12:50am

I have a pretty simple set up. Nextcloud 19.0.2 on debian 10, apache2, lets encrypt. works well for me. Also I have a zentyal 6.2 server doing DHCP,DNS, LDAP, mail.

This works, but zentyal is using a self signed certificate which I believe is causing me a bit of a headache.

If I use a mail client like thunderbird, I can tell it to make an exception for the certificate, and all is fine.

What I would like to do is access SOGo on the zentyal server via https://nc.jansen.computer/SOGo
nextcloud is https://nc.jansen.computer.

I tried to make some Apache2 reverse proxy conf… but I can’t get my head around how thats supposed to work.

I tried adding the mail app to the nextcloud install, but when it tries to access the imap server, an error occurs, and I am pretty sure its to do with the certificate on zentyal being self signed. Where do I find the logs for the mail app? Because it also fails when I try to manually configure IMAP & SMTP without START/TLS or SSL.

Things I don’t get… If I had reverse proxy working, the lets encrypt just works the same on the nextcloud/apache2 server. Do I have to make that somehow trust the self signed certificate/connection of the zentyal apache2 server its being a proxy for ?

Could I get around that, by having 2 domains? Because I have a second domain, but only used an mx record to get mail to the zentyal server, obvious I can’t direct 443/80 to both.

Vincent_Stans · September 4, 2020, 2:12am

How I have it setup

Which ever server is actually listing to 80:443 ( the server you ported 80:443 to in your modem) Is your reverse proxy for the other server that has no ports routed in your modem.

for example I have domain1.me and domain2.me

on domain1.me I use subs office, cloud, www, mail and many more.

on domain2.me for testing with subs office, www, cloud

on domain1.me I have a site config for apache like so where 10.8.0.5 is my local network ip of domain2.me

<VirtualHost *:80>
  ServerName usee.ga
  DirectoryIndex index.php index.html
  ServerAlias    cloud.usee.ga www.usee.ga

  ProxyPass   / http://10.8.0.5:80/
  ProxyPassReverse  / http://10.8.0.5:80/

</VirtualHost>

<IfModule mod_ssl.c>
         <VirtualHost *:443>
                    ServerName usee.ga
                    DirectoryIndex index.php index.html
                    ServerAlias    cloud.usee.ga www.usee.ga

                    ProxyPass /.well-known/carddav  https://10.8.0.5/remote.php/dav/
                    ProxyPass /.well-known/caldav   https://10.8.0.5/remote.php/dav/
                    ProxyPass   / https://10.8.0.5:443/
                    ProxyPassReverse  / https://10.8.0.5:443/

  # Encoded slashes need to be allowed
#  AllowEncodedSlashes     NoDecode

  # Container uses a unique non-signed certificate
  SSLProxyEngine On
  SSLProxyVerify None
  SSLProxyCheckPeerCN Off
  SSLProxyCheckPeerName Off

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/usee.ga/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/usee.ga/privkey.pem
          </VirtualHost>
</IfModule>

For the sub domain office there is a separate config parsing Collabora proxy.

On the domain1.me I create the SSL certificates for domain2.me

I then created the SSL certificates on domain2.me

which has the following apache site config

<VirtualHost *:80>
	Redirect permanent / https://cloud.usee.ga/
	ServerName usee.ga
	DocumentRoot /var/www/nextcloud
        ServerAlias www.usee.ga cloud.usee.ga
</VirtualHost>

<IfModule mod_ssl.c>
	<VirtualHost *:443>
		DocumentRoot /var/www/nextcloud
    	ServerName usee.ga
                ServerAlias www.usee.ga cloud.usee.ga

	    ErrorLog ${APACHE_LOG_DIR}/error.log
    	CustomLog ${APACHE_LOG_DIR}/access.log combined

		<FilesMatch "\.(cgi|shtml|phtml|php)$">
	    		SSLOptions +StdEnvVars
                                # Below for php-fpm
    #                            SetHandler "proxy:unix:/var/run/php/php7.4-fpm.sock|fcgi://localhost"
    	</FilesMatch>

		<Directory /usr/lib/cgi-bin>
	    		SSLOptions +StdEnvVars
    	</Directory>

		<Directory /var/www/nextcloud>
	    		Options +FollowSymlinks
    			AllowOverride All
                                SetEnv HOME /var/www/nextcloud
                                SetEnv HTTP_HOME /var/www/nextcloud

			<IfModule mod_dav.c>
		      Dav off
	    	</IfModule>
    	</Directory>

                <IfModule mod_headers.c>
                          Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
                </IfModule>
            Include /etc/letsencrypt/options-ssl-apache.conf
            SSLCertificateFile /etc/letsencrypt/live/cloud.usee.ga/fullchain.pem
            SSLCertificateKeyFile /etc/letsencrypt/live/cloud.usee.ga/privkey.pem
</VirtualHost>
</IfModule>

so I ran certbot for domain2.me on both servers.

I hope this helps you

Aart_Jansen · September 4, 2020, 2:55am

Thanks your example certainly gives me some clues that what I’m trying can be done, and how to go about it.
I have made modifications to my nextcloud site conf(s). However when I use SSLProxyCheckPeerName Off

I cannot get the apache service to restart.

Vincent_Stans · September 4, 2020, 3:13am

have you got these modules loaded

a2enmod proxy
a2enmod proxy_http
a2enmod rewrite
a2enmod deflate
a2enmod headers
a2enmod proxy_wstunnel
a2enmod proxy_html
a2enmod proxy_balancer

or

a2enmod proxy proxy_http proxy_wstunnel proxy_html proxy_balancer headers rewrite deflate

Aart_Jansen · September 4, 2020, 3:27am

Looked like the one missing was proxy_balancer… but even with that, Apache wont start

Aart_Jansen · September 4, 2020, 4:02am

So my configuration is obviously pretty close, much closer than ever before. by adding the /sogo as the proxy to the IP of the other server, now when I go to https://nc.jansen.computer/SOGo I get the content of the login page, but its text & code rather than the right graphics layout.

I haven’t added any lets encrypt certificate stuff to the zentyal server. Maybe its not required as the URL seems to be trusted as is.

Vincent_Stans · September 5, 2020, 9:59am

Okay to eliminate the php modules here is my complete list of used

actions         authn_file      autoindex       env             headers         negotiation     proxy_connect   proxy_uwsgi     setenvif        status          
alias           authz_core      cgi             expires         include         php7.4          proxy_fcgi      proxy_wstunnel  slotmem_shm     xml2enc         
auth_basic      authz_host      deflate         fcgid           mime            proxy           proxy_html      reqtimeout      socache_shmcb

Check if you have a2enmod proxy_fcgi enables

Aart_Jansen · September 6, 2020, 10:55pm

I enabled proxy_fcgi same result.
apache2ctl -M gets me…

core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
filter_module (shared)
headers_module (shared)
mime_module (shared)
mpm_prefork_module (shared)
negotiation_module (shared)
php7_module (shared)
proxy_module (shared)
proxy_balancer_module (shared)
proxy_fcgi_module (shared)
proxy_html_module (shared)
proxy_http_module (shared)
proxy_wstunnel_module (shared)
reqtimeout_module (shared)
rewrite_module (shared)
setenvif_module (shared)
slotmem_shm_module (shared)
socache_shmcb_module (shared)
ssl_module (shared)
status_module (shared)
xml2enc_module (shared)

on the nextcloud server

KarlF12 · September 7, 2020, 3:45am

That’s probably the best approach.

You can let the last hop be unencrypted (HTTPS from client to proxy, HTTP from proxy to server). Or you can configure Apache to not check the backend server’s cert.

The reverse proxy can fix that because it can serve a different site based on the SNI, even on the same IP and port. You may find it easier to use different subdomains (e.g. mail.jansen.computer) that point to the same IP (or one can be a CNAME of the other). This is done by setting the ServerName in your Apache sites. Then it can tell which one the client wanted.

Aart_Jansen · September 7, 2020, 5:45am

Great reverse proxy is what I’ll go for.

After rebooting both the nextcloud and zentyal servers, I’m getting a “Service unavailable” error message via the proxy. Both nextcloud, and zen are working directly. On nextcloud in /var/log/apache2/error.log I see
AH00957: HTTP: attempt to connect to 10.0.55.2:80 (10.0.55.2) failed
[Mon Sep 07 17:37:20.614405 2020] [proxy_http:error] [pid 1215] [client 2406:1e00:9b10:10:3d77:5ab0:5e00:7ad0:2673] AH01114: HTTP: failed to make connection to backend: 10.0.55.2

Is ipv6 complicating it? If I try to ping 2406:1e00:9b10:10:3d77:5ab0:5e00:7ad0:2673 it doesn’t resolve, and neither server lists that as an IP they have… I might disable ipv6 on the network for now.

Turned off IPV6 but same error in browser

KarlF12 · September 7, 2020, 12:12pm

And what server is 10.0.55.2?

I have a guide here that shows how to set up a reverse proxy. It’s written for proxying a Docker setup, but the basic concept is the same.

https://help.nextcloud.com/t/howto-ubuntu-docker-nextcloud-talk-collabora/76430

I did a reverse proxy for SOGo once and don’t recall having to enable so many mods. It would help to see your Apache site configs.

Aart_Jansen · September 15, 2020, 3:28am

Its a zentyal server with SOGo installed. Sorry for the late reply. I’ll check out your guide.