Join Log in
Score:-1
avatar Server

Certificate to a Sub domain on my home server

pe flag
NEW2WEB

I have read many articles on certs on a subdomain, but I'm still confused.

My hope is someone can explain how this needs to be configured.

I have a production server (hosted VM) for my site (eg. https://www.example.com, ip: 1.1.1.1). I have an application that I host on a machine on my home network (eg. ip 2.2.2.2).

I would like a subdomain - dev.example.com - to point to 2.2.2.2 (I configured this with an "A" DNS record on 1.1.1.1 and this works properly).

However, I would like to use a certificate (Let's Encrypt) to be able to secure incoming connections to https://dev.example.com.

Here is what I would like to know:

  1. Is this possible?
  2. If so, should the cert be installed on 2.2.2.2? Does the cert need to be setup in a certain way?

I appreciate any articles or info.

Bonus question: Does the complexity of the setup in my home network matter? For instance: I have a router that directs port 80, 8080 and 443 to a VM web server. This server then use Proxy / Rev Proxy to redirect traffic - based on folders (eg. dev.example.com/app34) to the specific Application server (192.168.0.34). Will any of this affect the cert setup?

111
0 + 0
Paul avatar
cn flag
Paul
The CA signed cert may not be the solution you are looking for. What happens when your ISP decides you should have a different IP address just now? It sounds like dev.example.com is not something you are serving for the general public, so you can accomplish the goal of encryption plus authentication by using TLS client certificates, and the IP address won't matter and doesn't require signed CA.
0
Reply
pe flag
NEW2WEB
Thanks @Paul ! I'll look into TLS client certificates
0
Reply
Score:2
vidarlo avatar Server
ar flag
vidarlo

Is this possible?

Yes. Simply request a certificate from Let's Encrypt for dev.example.com. This can be verified using e.g. DNS challenge, or some other type. What matters is that you can respond to the challenge successfully, and you'll be handed a certificate.

If so, should the cert be installed on 2.2.2.2? Does the cert need to be setup in a certain way?

Probably. The alternative would be for all TLS traffic to be terminated on a reverse proxy at some other machine. But the most straight forward way is probably to terminate it at the machine that runs the actual server software.

There is nothing special to the certificate. There is no inherent difference between example.com and dev.example.com, or www.example.com; They are just domain names. Domain names are written in to the certificate.

IP's are not written into certificates. You can freely change where DNS points, and the certificates will continue to work.

Bonus question: Does the complexity of the setup in my home network matter? For instance: I have a router that directs port 80, 8080 and 443 to a VM web server. This server then use Proxy / Rev Proxy to redirect traffic - based on folders (eg. dev.example.com/app34) to the specific Application server (192.168.0.34). Will any of this affect the cert setup?

Whatever service that is expected to understand the traffic has to terminate the TLS session. This will in your case be the reverse proxy. Otherwise it can't decide where to forward traffic.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.