SSL Certificates and Jails (iocage)

[Bernard Mentink]

HI,

I am not too familiar on SSL certificates and would like someone of knowledge to help please.

Wondering that if I generate an SSL certificate with the GUI (as per the video), can I then use this certificate pair in jails (i.e nextcloud and Emby) .. so I can have secure access to these guys ..

If so, some pointers would be appreciated. I am guessing that if the certificates are available in a dataset, then I could mount that in the jail?

What is the "correct" way to manage this. I don't want to have to generate certs for each jail if possible ..

 

[Jailer]

What is the "correct" way to manage this.

Reverse proxy is what you want.

 

[Bernard Mentink]

Explain a bit please

 

[garm]

Google is your friend mate..
Hit # 3
https://www.digitalocean.com/commun...-proxy-for-apache-on-one-ubuntu-14-04-droplet

 

[Bernard Mentink]

Well "Mate" it's posts like that that confused me no end, I don't even know what a reverse proxy does, how does it help me with ssl?
I am posting on this forum to try and get some help, after my Google searches failed to illuminate me..

 

[danb35]

Wondering that if I generate an SSL certificate with the GUI (as per the video), can I then use this certificate pair in jails (i.e nextcloud and Emby)

You could, but you'd need to manually export it from the GUI, save it into something accessible in the jail, etc. Not worth it IMO.

I don't want to have to generate certs for each jail if possible .

Why not? That would be my choice, and Let's Encrypt with DNS validation makes it pretty straightforward. That's what I'm using for most of my internal hosts.

I don't even know what a reverse proxy does

A reverse proxy acts as a single endpoint, handles SSL termination, and redirects the connection to wherever the content really is. So, you can have a proxy set up at proxy.domain, and then go to proxy.domain/transmission, proxy.domain/sabnzbd, proxy.domain/sonarr, etc. Only proxy.domain needs a certificate in this kind of arrangement.

There are a number of ways to do the proxy. nginx is popular for this purpose, or caddy would be another option (see https://caddyserver.com/docs/proxy). Caddy handles obtaining and renewing a cert from Let's Encrypt automatically within the server.

 

[garm]

You can do wildcard certificates with letsencrypt now, so you can name the servers proper (eg nextcloud.proxy.domain). That is for complicated reasons preferred for security purposes and will give you a higher grade at scan.nextcloud.com

And what was wrong with my link to a step by step instruction of how to set up a reverse proxy??

 

[danb35]

You can do wildcard certificates with letsencrypt now

...which also requires DNS validation.

And what was wrong with my link to a step by step instruction of how to set up a reverse proxy?

Probably OP's lack of understanding of what a reverse proxy is or why he might want one.

 

[garm]

Looking at Caddy I can hardly believe my eyes ^^ this warrants further investigation. I might just throw out nginx, my configs are huge compared to this

 

[danb35]

I'd played with caddy a bit a while back (some discussion in this thread), but it looks like it's grown up a lot (it now supports DNS validation, which is a very big thing for me, though unfortunately it doesn't support acme-dns). It's the only server I know of with a sensible OCSP implementation. And, as you note, configs are far simpler than with other servers.

 

[garm]

Well most of my servers are behind firewalls so I need DNS challenge. You showed me the light and made me switch to Cloudflare a while back to get the acme hook to work and this looks like it’s able to pull its own certs. That spares me a crt pulling jail with complex Cron coordination in a forest of servers at friends and family ^^