Otdfbt

Multi tool use

FIFO data structure in pure C

How would fantasy dwarves exist, realistically?

Would a "ring language" be possible?

pwaS eht tirsf dna tasl setterl fo hace dorw

Hotel booking: Why is Agoda much cheaper than booking.com?

Can an airline pilot be prosecuted for killing an unruly passenger who could not be physically restrained?

How to draw pentagram-like shape in Latex?

How to laser-level close to a surface

multicol package causes underfull hbox

Sort a section of a file

Can I pay my credit card?

I recently started my machine learning PhD and I have absolutely no idea what I'm doing

Was murdering a slave illegal in American slavery, and if so, what punishments were given for it?

Why aren't satellites disintegrated even though they orbit earth within earth's Roche Limits?

How come Arya Stark wasn't hurt by this in Game of Thrones Season 8 Episode 5?

What do you call bracelets you wear around the legs?

Prints each letter of a string in different colors

Physically unpleasant work environment

Why does the setuid bit work inconsistently?

Quotient of Three Dimensional Torus by Permutation on Coordinates

on the truth quest vs in the quest for truth

Who is frowning in the sentence "Daisy looked at Tom frowning"?

Number Sequence Series-Question 2

Why does the U.S military use mercenaries?

Use letsencrypt on virtual machine behind a reverse proxy with server name indication

Updating Server Virtual Machines Behind an NGINX Reverse ProxyMatrix Synapse behind reverse proxy spawns “Fingerprint issue” errorsAccessing synology DSM behind nginx reverse proxyLetsencrypt client behind a reverse Nginx proxyLetsencrypt with nginx automatic server buildOpenVPN with letsencrypt server certificateUsing letsencrypt server certificate with MariaDBTLS/SSL server behind nginx reverse proxyReverse proxy nodejs on nginx with prerender enabledReverse proxy shaarli in a subfolder with nginx

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

4

I have a server set up with some virtual machines behind a nat.
I want to use encryption for my xmpp-server-vm, and therefore need a certificate inside the vm. Is there a possibility to use nginx as a reverse-proxy so i can run letsencrypt and get/renew the certificates on the vm with the xmpp-server and keep the private key on that machine? I can't use nginx as TLS termination proxy because my vm should not have access to the reverse proxy itself, which would be needed because the xmpp-software needs access to the key.

Edit:

I made a schematic of what i want to do:

My basic problem is, i do not know if letsencrypt works behind a reverse proxy with server name indication enabled, so i can get a certificate inside my xmpp-server-vm to encrypt the xmpp traffic.

nginx kvm-virtualization lets-encrypt

share|improve this question

edited Jan 7 '17 at 15:08

Frederik Nielsen

2,74822341

asked Jan 6 '17 at 20:39

user393856user393856

5810

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Your question is confusing. Can you provide a diagram of your network and server architecture, and perhaps edit your question to make it more clear? Nginx and Let's Encrypt work fine together, but I don't understand your question.
  
  – Tim
  Jan 7 '17 at 5:49
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Tim It looks like he has one global IPv4 address, and so he has forwarded ports 80 and 443 to one VM, and port 5222 (XMPP) to another VM. Now he wants the XMPP VM to be able to use letsencrypt certificates which get fetched (somehow) via the other VM, because certbot uses ports 80 and 443.
  
  – Michael Hampton♦
  Jan 7 '17 at 17:41
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @MichaelHampton that is almost what i wanted to say. The only difference are that i want to use a reverse proxy for the http/https ports, because i have more than one vm which uses http, and i have to get the key and the certificate onto the virtual machine running the xmpp server, because it needs direct access to it.
  
  – user393856
  Jan 7 '17 at 17:48
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Have you considered deploying IPv6? It would eliminate this problem and the xmpp VM could get its own certificate directly.
  
  – Michael Hampton♦
  Jan 7 '17 at 17:49
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I haven't. That ist quite a good idea. However i'll need to find out more on how to get ipv6 running in parallel with my current setup, because it has to stay available via ipv4.
  
  – user393856
  Jan 7 '17 at 17:56
  

  
  
  
  

 | 
show 4 more comments

4

I have a server set up with some virtual machines behind a nat.
I want to use encryption for my xmpp-server-vm, and therefore need a certificate inside the vm. Is there a possibility to use nginx as a reverse-proxy so i can run letsencrypt and get/renew the certificates on the vm with the xmpp-server and keep the private key on that machine? I can't use nginx as TLS termination proxy because my vm should not have access to the reverse proxy itself, which would be needed because the xmpp-software needs access to the key.

Edit:

I made a schematic of what i want to do:

My basic problem is, i do not know if letsencrypt works behind a reverse proxy with server name indication enabled, so i can get a certificate inside my xmpp-server-vm to encrypt the xmpp traffic.

nginx kvm-virtualization lets-encrypt

share|improve this question

edited Jan 7 '17 at 15:08

Frederik Nielsen

2,74822341

asked Jan 6 '17 at 20:39

user393856user393856

5810

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Your question is confusing. Can you provide a diagram of your network and server architecture, and perhaps edit your question to make it more clear? Nginx and Let's Encrypt work fine together, but I don't understand your question.
  
  – Tim
  Jan 7 '17 at 5:49
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Tim It looks like he has one global IPv4 address, and so he has forwarded ports 80 and 443 to one VM, and port 5222 (XMPP) to another VM. Now he wants the XMPP VM to be able to use letsencrypt certificates which get fetched (somehow) via the other VM, because certbot uses ports 80 and 443.
  
  – Michael Hampton♦
  Jan 7 '17 at 17:41
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @MichaelHampton that is almost what i wanted to say. The only difference are that i want to use a reverse proxy for the http/https ports, because i have more than one vm which uses http, and i have to get the key and the certificate onto the virtual machine running the xmpp server, because it needs direct access to it.
  
  – user393856
  Jan 7 '17 at 17:48
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Have you considered deploying IPv6? It would eliminate this problem and the xmpp VM could get its own certificate directly.
  
  – Michael Hampton♦
  Jan 7 '17 at 17:49
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I haven't. That ist quite a good idea. However i'll need to find out more on how to get ipv6 running in parallel with my current setup, because it has to stay available via ipv4.
  
  – user393856
  Jan 7 '17 at 17:56
  

  
  
  
  

 | 
show 4 more comments

I have a server set up with some virtual machines behind a nat.
I want to use encryption for my xmpp-server-vm, and therefore need a certificate inside the vm. Is there a possibility to use nginx as a reverse-proxy so i can run letsencrypt and get/renew the certificates on the vm with the xmpp-server and keep the private key on that machine? I can't use nginx as TLS termination proxy because my vm should not have access to the reverse proxy itself, which would be needed because the xmpp-software needs access to the key.

Edit:

I made a schematic of what i want to do:

My basic problem is, i do not know if letsencrypt works behind a reverse proxy with server name indication enabled, so i can get a certificate inside my xmpp-server-vm to encrypt the xmpp traffic.

nginx kvm-virtualization lets-encrypt

share|improve this question

edited Jan 7 '17 at 15:08

Frederik Nielsen

2,74822341

asked Jan 6 '17 at 20:39

user393856user393856

5810

share|improve this question

edited Jan 7 '17 at 15:08

Frederik Nielsen

2,74822341

asked Jan 6 '17 at 20:39

user393856user393856

5810

share|improve this question

edited Jan 7 '17 at 15:08

Frederik Nielsen

2,74822341

asked Jan 6 '17 at 20:39

user393856user393856

5810

edited Jan 7 '17 at 15:08

Frederik Nielsen

2,74822341

edited Jan 7 '17 at 15:08

Frederik Nielsen

2,74822341

asked Jan 6 '17 at 20:39

user393856user393856

5810

asked Jan 6 '17 at 20:39

user393856user393856

5810

1 Answer
1

active

oldest

votes

1

I managed to get this working by a very simple solution allthough this was not what i originally had in mind. I run letsencrypt on the host OS and copy the private key and certificates into the vm via ssh.

share|improve this answer

answered Jan 12 '17 at 0:01

user393856user393856

5810

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f824718%2fuse-letsencrypt-on-virtual-machine-behind-a-reverse-proxy-with-server-name-indic%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

1

I managed to get this working by a very simple solution allthough this was not what i originally had in mind. I run letsencrypt on the host OS and copy the private key and certificates into the vm via ssh.

share|improve this answer

answered Jan 12 '17 at 0:01

user393856user393856

5810

add a comment | 

1

I managed to get this working by a very simple solution allthough this was not what i originally had in mind. I run letsencrypt on the host OS and copy the private key and certificates into the vm via ssh.

share|improve this answer

answered Jan 12 '17 at 0:01

user393856user393856

5810

add a comment | 

I managed to get this working by a very simple solution allthough this was not what i originally had in mind. I run letsencrypt on the host OS and copy the private key and certificates into the vm via ssh.

share|improve this answer

answered Jan 12 '17 at 0:01

user393856user393856

5810

share|improve this answer

answered Jan 12 '17 at 0:01

user393856user393856

5810

answered Jan 12 '17 at 0:01

user393856user393856

5810

answered Jan 12 '17 at 0:01

user393856user393856

5810