Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to use same certificate on different server (different port) but same DNS #2005

Closed
casper-gh opened this issue Dec 23, 2015 · 15 comments
Closed

How to use same certificate on different server (different port) but same DNS #2005

casper-gh opened this issue Dec 23, 2015 · 15 comments
Labels
question

Comments

@casper-gh
Copy link

I have successfully created a certificate using letsencrypt on one of my apache server.

https://mydomain.duckdns.org

On my second server, I just forward a different port (4430) to this machine, ie, accessible by:

https://mydomain.duckdns.org:4430

I tried the same procedure to install letsencrypt ./letsencrypt-auto --apache -d mydomain.duckdns.org on this machine but got this error:

 The following 'urn:acme:error:unauthorized' errors were reported by
  the server:

  Domains: mydomain.duckdns.org
  Error: The client lacks sufficient authorization

Question is, how can I use the cert created by letsencrypt on my first machine on my second machine?
@bmw
Copy link
Member

bmw commented Dec 23, 2015

  1. On your first machine, find the folder where your cert (or symlinks to it) are stored. This should be in /etc/letsencrypt/live/<domain> by default.
  2. Copy all files in this folder to your 2nd machine. There should be 4 files: cert.pem, privkey.pem, chain.pem, and fullchain.pem.
  3. On the 2nd machine run letsencrypt-auto install --apache --cert-path <cert_path> --key-path <key_path> --chain-path <chain_path> --fullchain-path <fullchain_path> where the four paths are the paths to the four files you copied over in step 2.

Your certificate should be installed! I'm closing this issue since I believe I answered your question, but if continue to have problems, comment and I'll reopen.

@bmw bmw closed this as completed Dec 23, 2015
@bmw bmw added the question label Dec 23, 2015
@casper-gh
Copy link
Author

Nevermind, it works great, thank you

@jportoles
Copy link

Out of curiosity, you can't have auto-renewal set up in multiple machines, right? So if you want to use the same cert on multiple machines, you would have to renew it on one of them and then copy the certificate files again to the rest, correct?

@bmw
Copy link
Member

bmw commented Jun 21, 2016

@jportoles, correct. Nothing like that is currently supported in the client. You'd have to write a wrapper script around Certbot to get that kind of functionality.

#2782 might make this a bit easier, but you'd still have to provide a script telling Certbot what to do with the certificate once it's been obtained.

@jportoles
Copy link

@bmw Got it, thanks! We'll probably just set up a "master" machine that renews and propagates to the rest when the renewal is due.

@jasonjpeters
Copy link

https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-load-balancing-with-ssl-termination

requires additional setup but this removes the need to copy the certificate(s).

@harlock74
Copy link

Hi casper-gh/bmw,
Would you please be so kind as to share instructions to use the same certificate on two different servers (raspberry pi's)? I have tried several times but to no avail.
Many thanks!

@harlock74
Copy link

Never mind. All working thanks anyway.

@casper-gh
Copy link
Author

hey @harlock74, sorry for late response, glad you figured it out. Did you use Certbot or Letsencrypt? I was unable to do this using Certbot, so I had to run this letsencrypt-auto install --apache --cert-path <cert_path> --key-path <key_path> --chain-path <chain_path> --fullchain-path <fullchain_path>.

Let me know how to did this using Certbot. Thanks

@harlock74
Copy link

harlock74 commented Jun 13, 2017
edited

Hi @casper-gh , many thanks for coming back to me. Very much appreciated.
Indeed I have used Letsencrypt as the steps below never worked with Certobot. This is what I did:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto install --apache --cert-path <cert_path> --key-path <key_path> --chain-path <chain_path> --fullchain-path

Something odd it is happening though.
Let me just say that I am using duckdns.org.

If I start from a fresh jessie lite on my first Raspberry Pi I can re-install the same certificate by using the commands above.

However if I start from a fresh jessie lite on my second raspberry Pi then the same procedures don't work anymore.

I have also changed the ssl port from 443 to 444 on my second Raspberry Pi by editing the files below:

/etc/apache2/ports.conf
/etc/apache2/sites-available/default-ssl.conf

I am now struggling. I would really appreciate if you could shed some light as I am sure I am missing something, but I wouldn't know what.
Many thanks.

@casper-gh
Copy link
Author

casper-gh commented Jun 13, 2017
edited

@harlock74 Not sure I understand it correctly, but on the first machine (port 443), you don't need to run the cmd with --cert-path, I simple just ran certbot --apache to install and generate SSL on first machine.

On the second machine (something else rather than 443), you must run the letsencrypt cmd with --cert-path. For the 2 files you mentioned, I didn't change anything from ports.conf, but in default-ssl.conf, this is my modification: <VirtualHost _default_:4430> where 4430 is my second SSL port.

Hope this helps.

@harlock74
Copy link

harlock74 commented Jun 13, 2017
edited

@casper-gh
My apologies maybe I was not clear in my previous post.
So just to be clear:
On the first machine (ssl port 443):
./letsencrypt-auto -d domain.duckdns.org --apache -m MY_EMAIL --redirect --agree-tos

Then from the first machine I copy on the second machine the 4 files cert.pem, privkey.pem, chain.pem, and fullchain.pem.

On the second machine (ssl port 444):
./letsencrypt-auto install --apache --cert-path <cert_path> --key-path <key_path> --chain-path <chain_path> --fullchain-path

Is that correct?
Thanks a lot for your patience!

@harlock74
Copy link

harlock74 commented Jun 13, 2017
edited

Eureka! It's working like a charm and using certbot and not letsencrypt!
I will do a write-up and share it here...hopefully I will not forget what I just did..lol.. 👍

@casper-gh
Copy link
Author

@harlock74 For the first machine I only ran certbot --apache or letsencrypt-auto, then it'll ask for me which domain I want to use.

@harlock74
Copy link

harlock74 commented Jun 18, 2017
edited

Hi @casper-gh,
After trying different methods with both certbot and letsencypt, the most reliable solution that I have managed to reproduce everytime and without getting any error messages, is as per below instructions:

After creating a certificate with letsencrypt on your first RPi:

  1. Locate the folder where your certificate is being stored. This should be in /etc/letsencrypt/live/<your_domain> by default.

  2. You should see 4 files: cert.pem, privkey.pem, chain.pem, and fullchain.pem. Copy these files to your second RPi. I would highly recommend using rsync with a method like -a to preserve symbolic links, and then copy the entirety of /etc/letsencrypt. Alternatively you can create an archive with tar, again to preserve all the relevantsymbolic links.

  3. Install letsencrypt on your second RPi:
    git clone https://github.com/letsencrypt/letsencrypt
    4.Then:
    cd letsencrypt

  4. Then run the command to re-install your certificate:
    ./letsencrypt-auto install --apache --cert-path <cert_path> --key-path <key_path> --chain-path <chain_path> --fullchain-path <fullchain_path>

  5. Make sure you change the ssl port on your second RPi by editing:

sudo nano /etc/apache2/ports.conf
sudo nano /etc/apache2/sites-available/default-ssl.conf
sudo nano /etc/apache2/sites-available/000-default-le-ssl.conf
sudo service apache2 restart
sudo systemctl daemon-reload
  1. Portforward the new ssl port from your router.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jportoles @jasonjpeters @harlock74 @bmw @casper-gh