Certificate Issues on Member Servers (was: Zertifikate auf Memberservern)

UCS - Univention Corporate Server
#1

English translation below
Hallo,

ich habe ein kleines Problem mit meinen Memberservern. Diese sind via DNS immer per https erreichbar, dort erhalte ich aber eine browsermeldung, sodass ich über die DNS keinen Memberserver ansprechen kann. Ich muss immer die IP Adresse nehmen.

Diese Website verwendet HTTP Strict Transport Security (HSTS), um mitzuteilen, dass Firefox nur über gesicherte Verbindungen mit ihr kommunizieren soll. Daher ist es nicht möglich, eine Ausnahme für dieses Zertifikat anzulegen.

Fehlercode: SEC_ERROR_UNKNOWN_ISSUER

Nun wollte ich via Lets Encrypt auf den Memberservern das Problem erledigen. Leider klappt das nicht, da der Server, der nach Außen darf und wo die Wordpress Seite ist, bereits 80 und 443 belegt hat und ich möchte ungern alle 3 Monate die Ports hin und her tauschen.

Gibt es eine Möglichkeit die Zertifikate von Server 1 auf alle anderen zu übertragen, ohne, dass ich sie manuell kopieren muss?

Ich hatte es nun schon mit Freigaben versucht, was leider nicht klappte.

Habe hier keine Idee mehr.

Kann mir da jemand helfen oder mir die Richtung zeigen, in die ich da gehen muss, damit das alles klappt?

=================================================
Hello,

I have a little problem with my member servers. They are always reachable via DNS via https, but there I get a browser message, so I can’t access a member server via DNS. I always have to use the IP address.

This website uses HTTP Strict Transport Security (HSTS) to tell Firefox to only communicate with it over secure connections. Therefore, it is not possible to create an exception for this certificate.

Error code: SEC_ERROR_UNKNOWN_ISSUER

Now I wanted to solve the problem via Lets Encrypt on the memberservers. Unfortunately this doesn’t work, because the server, which is allowed to go outside and where the Wordpress page is, has already occupied 80 and 443 and I don’t want to change the ports back and forth every 3 months.

Is there a way to transfer the certificates from Server 1 to all others without having to copy them manually?

I had already tried it with shares, which unfortunately didn’t work.

I have no idea anymore.

Can someone help me or show me the direction I need to go to make all this work?

#2

English below
Moin,

ich bin nun ein wenig weiter in der Planung. Und zwar würde sich für das ganze ein Reverse Proxy anbieten. Hier habe ich gelesen, dass Squid das kann. Leider bekomme ich die Config nicht hin, auch nicht mit der Cool Solution Anleitung oder der Dokumentation von Squid selbst. Anscheinend hänge ich da irgendwo mit einem Knoten im Kopf.

================================================================
Moin,

I’m a little further in the planning now. And that would be a reverse proxy for the whole thing. Here I read that Squid can do that. Unfortunately I can’t do the config, not even with the Cool Solution manual or the documentation of Squid itself. Apparently I’m hanging somewhere with a knot in my head.

#3

Hi,

if you use HSTS you need proper certificates, indeed. You could use LetsEncrypt for this, yes. But for internal servers this is usually not suitable as you might have noticed.

Besides of fiddling with LetsEncrypt and reveerse proxy you have two other possibilities:

  1. Disable hsts
root@ucs:~# ucr search hsts
apache2/hsts/includeSubDomains: <empty>
 Applies HSTS policy also to subdomains if set to 'yes'.

apache2/hsts/max-age: <empty>
 Time in seconds of how long web browsers will cache and enforce the HSTS policy on the host. Defaults to '10886400' - which are 18 weeks.

apache2/hsts: <empty>
 Enable HTTP Strict Transport Security (HSTS) by setting this variable to 'yes'. 'apache2/force_https' should be enabled additionally to take full advantage of HSTS.
  1. Install the UCS CA certificate in your browsers.
    As a first steps you might want to use this article.

Hope it helps

/CV

#4

Hi,

first: thank you for translate my post.

The second Server would be reachable from the internet. I want to create a external webserver on port 443 in a memberserver, while another memberserver contains nextcloud with ssl. Both need a lets encrypt certificate.

So i think, point 2 will not work for other People in my Community. I dont know, point 1 will work in my scenario.

Maybe you know it.

Thank you for react.

Alex

#5

Hi,

thinking again you will indeed need a reverse proxy. The point is you are having only a single port (443) to be used for both servers.
In DNS you have to make sure these two hosts have internally the same hostname as externally.

You can not copy certificates from one to another as the strongly rely on the assigned hostnames!

So you would need the following:

  1. Configure your internal hostnames (at least as CNAME in DNS!) to match the external ones.
  2. Configure your ReverseProxy to handle the requests according to the hostname (despite of same external IP)
  3. Make sure both hosts can be reached (by hostname) on port 80, too (LetsEncrypt uses IMHO port 80 for verification sometimes)
  4. Finally, assign LetsEncrypt certifcates.

One step after the other. If 3. is not working properly, 4 will fail.

/CV

#6

Hi,

okay first step is done.

The Second step make me problems. I never configured a Proxy like squid. The Documentation confuse a little bit. i will try it.
squid documentation have this part:

Configure Squid

Afterwards, the local configuration file /etc/squid/local_bottom.conf must be edited.

If there is already a configuration in this file, you should make a backup of that:

cp /etc/squid/local_bottom.conf /etc/squid/local_bottom.conf.backup

To configure your reverse SSL proxy, add the following lines to your configuration.

#reverse SSL proxy
https_port 443 cert=/path/to/cert.pem key=/path/to/private.key accel defaultsite=<FQDN of DSTHOST> vhost
cache_peer <IP of DSTHOST> parent 443 0 no-query proxy-only originserver ssl sslflags=DONT_VERIFY_PEER name=myHost

The given name is needed below again, if custom ACLs are to be created (optional)

My example config is here:

#reverse SSL proxy
https_port 443 cert=/etc/univention/letsencrypt/signed_chain.crt key=/etc/univention/letsencrypt/domain.key accel defaultsite=<FQDN of DSTHOST> vhost
cache_peer 192.168.0.10 parent 443 0 no-query proxy-only originserver ssl sslflags=DONT_VERIFY_PEER name=central.domain.de
cache_peer 192.168.0.12 parent 443 0 no-query proxy-only originserver ssl sslflags=DONT_VERIFY_PEER name=comm.domain.de

which certs i use in this case? i installed lets encrypt. which domain names i put in the proxy? all or only one? i dont know…

Third: Port 443 and 80 are routed to Server 1 at the moment. After configured Proxy i change both to proxy server right?

Mastodon