Hello new here, needing advice on how to use LetsEncrypt on Univention as SSL reverse proxy for other windows servers one IP address, private local domain with FQDN domain routed from UCS server to one other windows server IIS7


#1

Hello new here, any ideas on how to make LetsEncrypt on Univention serve as SSL reverse proxy for other windows servers behind a firewall, one IP address, in private local domain with FQDN domain on UCS device and sub-domained windows server. Have tried once windows server wouldnt take requests. I have a private domain with a name that cant be fully qualified and have another domain coming to the ip address with only one 443 port. I already have a secure SSL server running on a windows machine and want to add the Univention Portal with several apps already running, no SSL yet


#2

I tried to answer a similar question recently, please see


(what you need is the part that begins with “Lets dumb this all down”).

PS: whats up with trying to put the whole question in the title?


#3

Thank you, I saw that post and followed it but the windows servers dont see the apache redirect, and the Lets Encrypt app doesnt secure the domain - It says it does but it doesnt. It might not be pointing to the right place in Univention. Does that Lets Encrypt certification cover the UCS device as well, or only the apache web portion? Since there is an underlying private domain of another name, do we need to include that in the Lets Encrypt app as well as a subdomain?

I actually copied that script and used it, and it seemed like it was redirecting but windows never saw it or responded, and the other site remained down and unsecured (Windows 2012 Server)


#4

Do you have an IP for ProxyPass or did you use a domain name? Univention has its own DNS server, so if the windows system is using a subdomain of the ucs system, you have to make sure that domain resolves from the ucs


#5

We use Windows Active Directory, DHCP and DNS and installed Univention portal using the AD connector. We did not allow AD takeover. Would this make ucs a subdomain of our windows network as it is the only linux machine on the network? I could set up a subdomain name for one of them, but have basically 3 different domain names right now. An internal network domain name which cannot be FQDN, and 2 different FQDN - one is active on Windows IIS and the other is the Univention and not active until I can figure out how to have 2 separate SSL-enabled devices, one apache and 1 windows. I could convert the windows FQDN to a subdomain and use the other domain name I bought for the UCS device to simplify, but the windows machine doesnt seem to listen to SSL directives from Lets Encrypt, I followed those directions from your other post and it just broke everything so I missed something along the way it looks like


#6

Forget about all that domain stuff, you just have to make sure that whatever you put as ProxyPass resolves (you can ping it) from the Univention system.

In my posted example Univention would be the system to request and serve the certificate from Lets Encrypt. The machine that is proxied to just uses plain http and will not be aware of all the SSL stuff.


#7

hm I think if there is an application there that requires SSL it wont work (ie, wont run without it ). It has to be bound to the cert in IIS as far as I have seen it - maybe I am missing something in a setting somewhere


#8

Does the windows server then only need to listen to port 80, and I would completely disable 443 on the windows servers?Another question I have is whether the underlying private domain would have to be included since it is named differently. There is a FQDN to mypublicdomain.com, and the UCS server is already running with ucs.xyz.myprivatedomain.com, does that underlying domain need to be included in the SSL certification for it to run as secured or only a FQDN on the Univention server and subdomain for the windows server


#9

Yes, the given example would only include ssl on the Univention system. While technically it is possible that the system that is proxied to could also use ssl, I cannot help you how you could automate the export of the ssl certificate from Univention to Windows

No, you only should configure the domains that should be served by the Univention system or that the Univention system should proxy to another host. So if you want to proxy “windows.domain.com”, you only need a certificate that is (also) valid for “windows.domain.com” and not “domain.com”.


#10

So if I currently have the Univention portal up and running, but it is named ucs.xyz.myprivatedomain.com, and I have purchased another FQDN domain for it, I get the SSL certificate only in the name of the newly purchased domain name as well as any subdomain which will serve the other windows machine, and that should get me 2 active SSL encrypted machines behind one ip address if I am understanding correctly. Then the concern is only that Lets Encrypt cannot generate a SSL .pem file I can then upload to IIS and bind to the 443 port, nor run the automated certbot to renew every 90 days. I could just elect to purchase a wildcard certificate from something like SSL.comodo and have it to upload in both servers? I apologize for my ignorance, I am quite new with linux but familiar with windows and networks in general.

Another question I have, is how much load the redirect might put on the univention server (i5 2400, 24GB RAM) given mild traffic say 10-20 users per day


#11

for example, as it is now, the apps on the ucs portal show the name of the underlying domain, ucs.xyz.myprivatedomain.com; so I get that the main portal URL will change (with the new domain name) on the WAN side, and these icons would just continue to show the underlying domain name.
But will Univention still see itself as secure even though the private domain name is not included on the SSL? And does this wildcard certificate need to be placed in the base Univention directory and be used to secure the whole stack, or only in the Apache repository.
Will this also secure the apps loaded in Univention like nextcloud, kotano, wordpress with SSL

I am sure I am missing something fundamental here, but am just not familiar with many of the inner workings yet. that is changing quickly!


#12

A reverse proxy does not take up a lot of resources, so this should be fine.

Yes, sure a wildcard certificate could be installed on multiple servers. the only thing that matters is that the domain you try to access in in the list of domain names of the certificate.

Sorry, never had this challenge so I cannot say how this can be changed.

Its not Univention (the server) that will mark the website as secure or insecure, its just the browser. and for this the accessed domain needs to be included in the ssl certificate.

this will probably get you further along Using your own SSL certificates


#13

hey awesome! Thanks so much for taking the time to answer in depth, really helpful!