SSL Certificate for WAN IP
I am having some troubles installing my SSL certificate.
Here is the situtation:
I have baught a certificate for the domain client.lexcelera.com.
The problem is that client.lexcelera.com is redirected to our livebox IP via a WAN connection.
So when I install the cetificate on our server (which is a local one), I have a certificate mismatch error.
I am using aol server on a CentOs 6.4 server. We are using pound to listen to the ports.
Here is pound.cfg file:
ListenHTTP
Address 0.0.0.0
Port 85
End
ListenHTTPS
Address 0.0.0.0
Port 443
Cert "/etc/ssl/certs/server.pem"
Service
HeadRequire "Host:s*client.lexcelera.com.*"
BackEnd
Address 80.15.156.1
Port 8000
End
End
End
(80.15.156.1 is the livebox IP)
I'm not sure what I'm supposed to do in this case.
Any idea?
Thanks!
ssl centos6 aolserver
asked Nov 12 '18 at 16:01
SimonSimon
7716
add a comment |
I am having some troubles installing my SSL certificate.
Here is the situtation:
I have baught a certificate for the domain client.lexcelera.com.
The problem is that client.lexcelera.com is redirected to our livebox IP via a WAN connection.
So when I install the cetificate on our server (which is a local one), I have a certificate mismatch error.
I am using aol server on a CentOs 6.4 server. We are using pound to listen to the ports.
Here is pound.cfg file:
ListenHTTP
Address 0.0.0.0
Port 85
End
ListenHTTPS
Address 0.0.0.0
Port 443
Cert "/etc/ssl/certs/server.pem"
Service
HeadRequire "Host:s*client.lexcelera.com.*"
BackEnd
Address 80.15.156.1
Port 8000
End
End
End
(80.15.156.1 is the livebox IP)
I'm not sure what I'm supposed to do in this case.
Any idea?
Thanks!
ssl centos6 aolserver
asked Nov 12 '18 at 16:01
SimonSimon
7716
add a comment |
I am having some troubles installing my SSL certificate.
Here is the situtation:
I have baught a certificate for the domain client.lexcelera.com.
The problem is that client.lexcelera.com is redirected to our livebox IP via a WAN connection.
So when I install the cetificate on our server (which is a local one), I have a certificate mismatch error.
I am using aol server on a CentOs 6.4 server. We are using pound to listen to the ports.
Here is pound.cfg file:
ListenHTTP
Address 0.0.0.0
Port 85
End
ListenHTTPS
Address 0.0.0.0
Port 443
Cert "/etc/ssl/certs/server.pem"
Service
HeadRequire "Host:s*client.lexcelera.com.*"
BackEnd
Address 80.15.156.1
Port 8000
End
End
End
(80.15.156.1 is the livebox IP)
I'm not sure what I'm supposed to do in this case.
Any idea?
Thanks!
ssl centos6 aolserver
asked Nov 12 '18 at 16:01
SimonSimon
7716
I am having some troubles installing my SSL certificate.
Here is the situtation:
I have baught a certificate for the domain client.lexcelera.com.
The problem is that client.lexcelera.com is redirected to our livebox IP via a WAN connection.
So when I install the cetificate on our server (which is a local one), I have a certificate mismatch error.
I am using aol server on a CentOs 6.4 server. We are using pound to listen to the ports.
Here is pound.cfg file:
ListenHTTP
Address 0.0.0.0
Port 85
End
ListenHTTPS
Address 0.0.0.0
Port 443
Cert "/etc/ssl/certs/server.pem"
Service
HeadRequire "Host:s*client.lexcelera.com.*"
BackEnd
Address 80.15.156.1
Port 8000
End
End
End
(80.15.156.1 is the livebox IP)
I'm not sure what I'm supposed to do in this case.
Any idea?
Thanks!
ssl centos6 aolserver
ssl centos6 aolserver
asked Nov 12 '18 at 16:01
SimonSimon
7716
asked Nov 12 '18 at 16:01
SimonSimon
7716
asked Nov 12 '18 at 16:01
SimonSimon
7716
asked Nov 12 '18 at 16:01
SimonSimon
7716
asked Nov 12 '18 at 16:01
SimonSimon
7716
7716
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
It sounds like pound is acting as a reverse proxy. If so, you would only install the public certificate on the server hosting pound - not on the backend server. In fact, it would be quite common to use HTTP without ssl for the backend connection.
If you do require transport security between your proxy and the backend, you should use a second self signed certificate trusted by the proxy.
As a third but unnecessarily complicated option, you could use split brain DNS, but such a thing would be only rarely advisable.
answered Nov 13 '18 at 23:55
MitchMitch
14.7k33663
Thank you for your answer. The hosting server is local. The client.lexcelera.com is for the customers to access a service online of our application via a DNS redirect on OVH. Is a SSL certificate not needed in this case?
– Simon
Nov 14 '18 at 8:35
If the backend server and the proxy server are on a trusted network, then I would only use HTTPs between the client and proxy and use HTTP between the proxy and backend server. If you are dealing with a threat model where a bad actor could compromise your local network, then I would use a self-signed certificate for the backend server.
– Mitch
Nov 14 '18 at 19:24
Ok I see, thank you for the details. So in case I end up having to set up the self-signed certificate for the backend server, then I would need to do it for OpenMat.lexcelera.local, right, not client.lexcelera.com?
– Simon
Nov 15 '18 at 11:23
That's correct.
– Mitch
Nov 15 '18 at 14:45
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53265860%2fssl-certificate-for-wan-ip%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
It sounds like pound is acting as a reverse proxy. If so, you would only install the public certificate on the server hosting pound - not on the backend server. In fact, it would be quite common to use HTTP without ssl for the backend connection.
If you do require transport security between your proxy and the backend, you should use a second self signed certificate trusted by the proxy.
As a third but unnecessarily complicated option, you could use split brain DNS, but such a thing would be only rarely advisable.
answered Nov 13 '18 at 23:55
MitchMitch
14.7k33663
Thank you for your answer. The hosting server is local. The client.lexcelera.com is for the customers to access a service online of our application via a DNS redirect on OVH. Is a SSL certificate not needed in this case?
– Simon
Nov 14 '18 at 8:35
If the backend server and the proxy server are on a trusted network, then I would only use HTTPs between the client and proxy and use HTTP between the proxy and backend server. If you are dealing with a threat model where a bad actor could compromise your local network, then I would use a self-signed certificate for the backend server.
– Mitch
Nov 14 '18 at 19:24
Ok I see, thank you for the details. So in case I end up having to set up the self-signed certificate for the backend server, then I would need to do it for OpenMat.lexcelera.local, right, not client.lexcelera.com?
– Simon
Nov 15 '18 at 11:23
That's correct.
– Mitch
Nov 15 '18 at 14:45
add a comment |
It sounds like pound is acting as a reverse proxy. If so, you would only install the public certificate on the server hosting pound - not on the backend server. In fact, it would be quite common to use HTTP without ssl for the backend connection.
If you do require transport security between your proxy and the backend, you should use a second self signed certificate trusted by the proxy.
As a third but unnecessarily complicated option, you could use split brain DNS, but such a thing would be only rarely advisable.
answered Nov 13 '18 at 23:55
MitchMitch
14.7k33663
Thank you for your answer. The hosting server is local. The client.lexcelera.com is for the customers to access a service online of our application via a DNS redirect on OVH. Is a SSL certificate not needed in this case?
– Simon
Nov 14 '18 at 8:35
If the backend server and the proxy server are on a trusted network, then I would only use HTTPs between the client and proxy and use HTTP between the proxy and backend server. If you are dealing with a threat model where a bad actor could compromise your local network, then I would use a self-signed certificate for the backend server.
– Mitch
Nov 14 '18 at 19:24
Ok I see, thank you for the details. So in case I end up having to set up the self-signed certificate for the backend server, then I would need to do it for OpenMat.lexcelera.local, right, not client.lexcelera.com?
– Simon
Nov 15 '18 at 11:23
That's correct.
– Mitch
Nov 15 '18 at 14:45
add a comment |
It sounds like pound is acting as a reverse proxy. If so, you would only install the public certificate on the server hosting pound - not on the backend server. In fact, it would be quite common to use HTTP without ssl for the backend connection.
If you do require transport security between your proxy and the backend, you should use a second self signed certificate trusted by the proxy.
As a third but unnecessarily complicated option, you could use split brain DNS, but such a thing would be only rarely advisable.
answered Nov 13 '18 at 23:55
MitchMitch
14.7k33663
It sounds like pound is acting as a reverse proxy. If so, you would only install the public certificate on the server hosting pound - not on the backend server. In fact, it would be quite common to use HTTP without ssl for the backend connection.
If you do require transport security between your proxy and the backend, you should use a second self signed certificate trusted by the proxy.
As a third but unnecessarily complicated option, you could use split brain DNS, but such a thing would be only rarely advisable.
answered Nov 13 '18 at 23:55
MitchMitch
14.7k33663
answered Nov 13 '18 at 23:55
MitchMitch
14.7k33663
answered Nov 13 '18 at 23:55
MitchMitch
14.7k33663
answered Nov 13 '18 at 23:55
MitchMitch
14.7k33663
14.7k33663
Thank you for your answer. The hosting server is local. The client.lexcelera.com is for the customers to access a service online of our application via a DNS redirect on OVH. Is a SSL certificate not needed in this case?
– Simon
Nov 14 '18 at 8:35
If the backend server and the proxy server are on a trusted network, then I would only use HTTPs between the client and proxy and use HTTP between the proxy and backend server. If you are dealing with a threat model where a bad actor could compromise your local network, then I would use a self-signed certificate for the backend server.
– Mitch
Nov 14 '18 at 19:24
Ok I see, thank you for the details. So in case I end up having to set up the self-signed certificate for the backend server, then I would need to do it for OpenMat.lexcelera.local, right, not client.lexcelera.com?
– Simon
Nov 15 '18 at 11:23
That's correct.
– Mitch
Nov 15 '18 at 14:45
add a comment |
Thank you for your answer. The hosting server is local. The client.lexcelera.com is for the customers to access a service online of our application via a DNS redirect on OVH. Is a SSL certificate not needed in this case?
– Simon
Nov 14 '18 at 8:35
If the backend server and the proxy server are on a trusted network, then I would only use HTTPs between the client and proxy and use HTTP between the proxy and backend server. If you are dealing with a threat model where a bad actor could compromise your local network, then I would use a self-signed certificate for the backend server.
– Mitch
Nov 14 '18 at 19:24
Ok I see, thank you for the details. So in case I end up having to set up the self-signed certificate for the backend server, then I would need to do it for OpenMat.lexcelera.local, right, not client.lexcelera.com?
– Simon
Nov 15 '18 at 11:23
That's correct.
– Mitch
Nov 15 '18 at 14:45
Thank you for your answer. The hosting server is local. The client.lexcelera.com is for the customers to access a service online of our application via a DNS redirect on OVH. Is a SSL certificate not needed in this case?
– Simon
Nov 14 '18 at 8:35
Thank you for your answer. The hosting server is local. The client.lexcelera.com is for the customers to access a service online of our application via a DNS redirect on OVH. Is a SSL certificate not needed in this case?
– Simon
Nov 14 '18 at 8:35
If the backend server and the proxy server are on a trusted network, then I would only use HTTPs between the client and proxy and use HTTP between the proxy and backend server. If you are dealing with a threat model where a bad actor could compromise your local network, then I would use a self-signed certificate for the backend server.
– Mitch
Nov 14 '18 at 19:24
If the backend server and the proxy server are on a trusted network, then I would only use HTTPs between the client and proxy and use HTTP between the proxy and backend server. If you are dealing with a threat model where a bad actor could compromise your local network, then I would use a self-signed certificate for the backend server.
– Mitch
Nov 14 '18 at 19:24
Ok I see, thank you for the details. So in case I end up having to set up the self-signed certificate for the backend server, then I would need to do it for OpenMat.lexcelera.local, right, not client.lexcelera.com?
– Simon
Nov 15 '18 at 11:23
Ok I see, thank you for the details. So in case I end up having to set up the self-signed certificate for the backend server, then I would need to do it for OpenMat.lexcelera.local, right, not client.lexcelera.com?
– Simon
Nov 15 '18 at 11:23
That's correct.
– Mitch
Nov 15 '18 at 14:45
That's correct.
– Mitch
Nov 15 '18 at 14:45
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53265860%2fssl-certificate-for-wan-ip%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
