SSL Certificate for WAN IP










-1















I am having some troubles installing my SSL certificate.



Here is the situtation:
I have baught a certificate for the domain client.lexcelera.com.
The problem is that client.lexcelera.com is redirected to our livebox IP via a WAN connection.
So when I install the cetificate on our server (which is a local one), I have a certificate mismatch error.



I am using aol server on a CentOs 6.4 server. We are using pound to listen to the ports.



Here is pound.cfg file:



ListenHTTP
Address 0.0.0.0
Port 85
End

ListenHTTPS
Address 0.0.0.0
Port 443
Cert "/etc/ssl/certs/server.pem"
Service
HeadRequire "Host:s*client.lexcelera.com.*"
BackEnd
Address 80.15.156.1
Port 8000
End
End
End


(80.15.156.1 is the livebox IP)



I'm not sure what I'm supposed to do in this case.
Any idea?



Thanks!










share|improve this question


























    -1















    I am having some troubles installing my SSL certificate.



    Here is the situtation:
    I have baught a certificate for the domain client.lexcelera.com.
    The problem is that client.lexcelera.com is redirected to our livebox IP via a WAN connection.
    So when I install the cetificate on our server (which is a local one), I have a certificate mismatch error.



    I am using aol server on a CentOs 6.4 server. We are using pound to listen to the ports.



    Here is pound.cfg file:



    ListenHTTP
    Address 0.0.0.0
    Port 85
    End

    ListenHTTPS
    Address 0.0.0.0
    Port 443
    Cert "/etc/ssl/certs/server.pem"
    Service
    HeadRequire "Host:s*client.lexcelera.com.*"
    BackEnd
    Address 80.15.156.1
    Port 8000
    End
    End
    End


    (80.15.156.1 is the livebox IP)



    I'm not sure what I'm supposed to do in this case.
    Any idea?



    Thanks!










    share|improve this question
























      -1












      -1








      -1








      I am having some troubles installing my SSL certificate.



      Here is the situtation:
      I have baught a certificate for the domain client.lexcelera.com.
      The problem is that client.lexcelera.com is redirected to our livebox IP via a WAN connection.
      So when I install the cetificate on our server (which is a local one), I have a certificate mismatch error.



      I am using aol server on a CentOs 6.4 server. We are using pound to listen to the ports.



      Here is pound.cfg file:



      ListenHTTP
      Address 0.0.0.0
      Port 85
      End

      ListenHTTPS
      Address 0.0.0.0
      Port 443
      Cert "/etc/ssl/certs/server.pem"
      Service
      HeadRequire "Host:s*client.lexcelera.com.*"
      BackEnd
      Address 80.15.156.1
      Port 8000
      End
      End
      End


      (80.15.156.1 is the livebox IP)



      I'm not sure what I'm supposed to do in this case.
      Any idea?



      Thanks!










      share|improve this question














      I am having some troubles installing my SSL certificate.



      Here is the situtation:
      I have baught a certificate for the domain client.lexcelera.com.
      The problem is that client.lexcelera.com is redirected to our livebox IP via a WAN connection.
      So when I install the cetificate on our server (which is a local one), I have a certificate mismatch error.



      I am using aol server on a CentOs 6.4 server. We are using pound to listen to the ports.



      Here is pound.cfg file:



      ListenHTTP
      Address 0.0.0.0
      Port 85
      End

      ListenHTTPS
      Address 0.0.0.0
      Port 443
      Cert "/etc/ssl/certs/server.pem"
      Service
      HeadRequire "Host:s*client.lexcelera.com.*"
      BackEnd
      Address 80.15.156.1
      Port 8000
      End
      End
      End


      (80.15.156.1 is the livebox IP)



      I'm not sure what I'm supposed to do in this case.
      Any idea?



      Thanks!







      ssl centos6 aolserver






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 12 '18 at 16:01









      SimonSimon

      7716




      7716






















          1 Answer
          1






          active

          oldest

          votes


















          0














          It sounds like pound is acting as a reverse proxy. If so, you would only install the public certificate on the server hosting pound - not on the backend server. In fact, it would be quite common to use HTTP without ssl for the backend connection.



          If you do require transport security between your proxy and the backend, you should use a second self signed certificate trusted by the proxy.



          As a third but unnecessarily complicated option, you could use split brain DNS, but such a thing would be only rarely advisable.






          share|improve this answer























          • Thank you for your answer. The hosting server is local. The client.lexcelera.com is for the customers to access a service online of our application via a DNS redirect on OVH. Is a SSL certificate not needed in this case?

            – Simon
            Nov 14 '18 at 8:35












          • If the backend server and the proxy server are on a trusted network, then I would only use HTTPs between the client and proxy and use HTTP between the proxy and backend server. If you are dealing with a threat model where a bad actor could compromise your local network, then I would use a self-signed certificate for the backend server.

            – Mitch
            Nov 14 '18 at 19:24











          • Ok I see, thank you for the details. So in case I end up having to set up the self-signed certificate for the backend server, then I would need to do it for OpenMat.lexcelera.local, right, not client.lexcelera.com?

            – Simon
            Nov 15 '18 at 11:23











          • That's correct.

            – Mitch
            Nov 15 '18 at 14:45










          Your Answer






          StackExchange.ifUsing("editor", function ()
          StackExchange.using("externalEditor", function ()
          StackExchange.using("snippets", function ()
          StackExchange.snippets.init();
          );
          );
          , "code-snippets");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "1"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53265860%2fssl-certificate-for-wan-ip%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          It sounds like pound is acting as a reverse proxy. If so, you would only install the public certificate on the server hosting pound - not on the backend server. In fact, it would be quite common to use HTTP without ssl for the backend connection.



          If you do require transport security between your proxy and the backend, you should use a second self signed certificate trusted by the proxy.



          As a third but unnecessarily complicated option, you could use split brain DNS, but such a thing would be only rarely advisable.






          share|improve this answer























          • Thank you for your answer. The hosting server is local. The client.lexcelera.com is for the customers to access a service online of our application via a DNS redirect on OVH. Is a SSL certificate not needed in this case?

            – Simon
            Nov 14 '18 at 8:35












          • If the backend server and the proxy server are on a trusted network, then I would only use HTTPs between the client and proxy and use HTTP between the proxy and backend server. If you are dealing with a threat model where a bad actor could compromise your local network, then I would use a self-signed certificate for the backend server.

            – Mitch
            Nov 14 '18 at 19:24











          • Ok I see, thank you for the details. So in case I end up having to set up the self-signed certificate for the backend server, then I would need to do it for OpenMat.lexcelera.local, right, not client.lexcelera.com?

            – Simon
            Nov 15 '18 at 11:23











          • That's correct.

            – Mitch
            Nov 15 '18 at 14:45















          0














          It sounds like pound is acting as a reverse proxy. If so, you would only install the public certificate on the server hosting pound - not on the backend server. In fact, it would be quite common to use HTTP without ssl for the backend connection.



          If you do require transport security between your proxy and the backend, you should use a second self signed certificate trusted by the proxy.



          As a third but unnecessarily complicated option, you could use split brain DNS, but such a thing would be only rarely advisable.






          share|improve this answer























          • Thank you for your answer. The hosting server is local. The client.lexcelera.com is for the customers to access a service online of our application via a DNS redirect on OVH. Is a SSL certificate not needed in this case?

            – Simon
            Nov 14 '18 at 8:35












          • If the backend server and the proxy server are on a trusted network, then I would only use HTTPs between the client and proxy and use HTTP between the proxy and backend server. If you are dealing with a threat model where a bad actor could compromise your local network, then I would use a self-signed certificate for the backend server.

            – Mitch
            Nov 14 '18 at 19:24











          • Ok I see, thank you for the details. So in case I end up having to set up the self-signed certificate for the backend server, then I would need to do it for OpenMat.lexcelera.local, right, not client.lexcelera.com?

            – Simon
            Nov 15 '18 at 11:23











          • That's correct.

            – Mitch
            Nov 15 '18 at 14:45













          0












          0








          0







          It sounds like pound is acting as a reverse proxy. If so, you would only install the public certificate on the server hosting pound - not on the backend server. In fact, it would be quite common to use HTTP without ssl for the backend connection.



          If you do require transport security between your proxy and the backend, you should use a second self signed certificate trusted by the proxy.



          As a third but unnecessarily complicated option, you could use split brain DNS, but such a thing would be only rarely advisable.






          share|improve this answer













          It sounds like pound is acting as a reverse proxy. If so, you would only install the public certificate on the server hosting pound - not on the backend server. In fact, it would be quite common to use HTTP without ssl for the backend connection.



          If you do require transport security between your proxy and the backend, you should use a second self signed certificate trusted by the proxy.



          As a third but unnecessarily complicated option, you could use split brain DNS, but such a thing would be only rarely advisable.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 13 '18 at 23:55









          MitchMitch

          14.7k33663




          14.7k33663












          • Thank you for your answer. The hosting server is local. The client.lexcelera.com is for the customers to access a service online of our application via a DNS redirect on OVH. Is a SSL certificate not needed in this case?

            – Simon
            Nov 14 '18 at 8:35












          • If the backend server and the proxy server are on a trusted network, then I would only use HTTPs between the client and proxy and use HTTP between the proxy and backend server. If you are dealing with a threat model where a bad actor could compromise your local network, then I would use a self-signed certificate for the backend server.

            – Mitch
            Nov 14 '18 at 19:24











          • Ok I see, thank you for the details. So in case I end up having to set up the self-signed certificate for the backend server, then I would need to do it for OpenMat.lexcelera.local, right, not client.lexcelera.com?

            – Simon
            Nov 15 '18 at 11:23











          • That's correct.

            – Mitch
            Nov 15 '18 at 14:45

















          • Thank you for your answer. The hosting server is local. The client.lexcelera.com is for the customers to access a service online of our application via a DNS redirect on OVH. Is a SSL certificate not needed in this case?

            – Simon
            Nov 14 '18 at 8:35












          • If the backend server and the proxy server are on a trusted network, then I would only use HTTPs between the client and proxy and use HTTP between the proxy and backend server. If you are dealing with a threat model where a bad actor could compromise your local network, then I would use a self-signed certificate for the backend server.

            – Mitch
            Nov 14 '18 at 19:24











          • Ok I see, thank you for the details. So in case I end up having to set up the self-signed certificate for the backend server, then I would need to do it for OpenMat.lexcelera.local, right, not client.lexcelera.com?

            – Simon
            Nov 15 '18 at 11:23











          • That's correct.

            – Mitch
            Nov 15 '18 at 14:45
















          Thank you for your answer. The hosting server is local. The client.lexcelera.com is for the customers to access a service online of our application via a DNS redirect on OVH. Is a SSL certificate not needed in this case?

          – Simon
          Nov 14 '18 at 8:35






          Thank you for your answer. The hosting server is local. The client.lexcelera.com is for the customers to access a service online of our application via a DNS redirect on OVH. Is a SSL certificate not needed in this case?

          – Simon
          Nov 14 '18 at 8:35














          If the backend server and the proxy server are on a trusted network, then I would only use HTTPs between the client and proxy and use HTTP between the proxy and backend server. If you are dealing with a threat model where a bad actor could compromise your local network, then I would use a self-signed certificate for the backend server.

          – Mitch
          Nov 14 '18 at 19:24





          If the backend server and the proxy server are on a trusted network, then I would only use HTTPs between the client and proxy and use HTTP between the proxy and backend server. If you are dealing with a threat model where a bad actor could compromise your local network, then I would use a self-signed certificate for the backend server.

          – Mitch
          Nov 14 '18 at 19:24













          Ok I see, thank you for the details. So in case I end up having to set up the self-signed certificate for the backend server, then I would need to do it for OpenMat.lexcelera.local, right, not client.lexcelera.com?

          – Simon
          Nov 15 '18 at 11:23





          Ok I see, thank you for the details. So in case I end up having to set up the self-signed certificate for the backend server, then I would need to do it for OpenMat.lexcelera.local, right, not client.lexcelera.com?

          – Simon
          Nov 15 '18 at 11:23













          That's correct.

          – Mitch
          Nov 15 '18 at 14:45





          That's correct.

          – Mitch
          Nov 15 '18 at 14:45

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53265860%2fssl-certificate-for-wan-ip%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Darth Vader #20

          How to how show current date and time by default on contact form 7 in WordPress without taking input from user in datetimepicker

          Ondo