L
L
leili2019-06-11 16:45:43
Nginx
leili, 2019-06-11 16:45:43

How to install Let's Encrypt correctly if Nginx is a balancer and the site itself is on IIS?

I've been googling for 4 days looking for information on getting a Let's Encrypt certificate. To receive a certificate, the site must be accessible from the outside.
I have this: a site on IIS under Windows Server 2008, available for the internal network, a balancer on Nginx under Ubuntu 12.04 (don't beat what you got, you got it), there are a lot of configs for different subdomains in /etc/nginx/conf.d like 1.name.ru, for one of these resources I need to configure https.

Config in /etc/nginx/conf.d in file 1.name.ru.conf

server {
  server {
  listen 80;
  server_name 1.name.ru;
  proxy_set_header Host 1.name.ru;
  
  location / {
    rewrite ^(.*)$ https://1.name.ru$1 permanent;
  }
}

server {
    listen       443 ssl;
  server_name  1.name.ru;

    ssl_certificate      /etc/nginx/ssl/mycert.pem;
    ssl_certificate_key  /etc/nginx/ssl/mycert.key;

    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;

  set $srv_addr "https://xx.xxx.xxx.xx";

  #charset koi8-r;
  
  access_log  /var/log/nginx/passport.access.log  main;

  proxy_set_header "Host" $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  proxy_connect_timeout 75s;
  proxy_read_timeout 40m;
  proxy_send_timeout 40m;
  
  #types_hash_max_size 2048;
  #client_header_buffer_size 16k;
  #large_client_header_buffers 16 16k;
  #request_pool_size 512k;
  
  #client_body_buffer_size 5M;
  #client_body_temp_path /tmp/nginx/client_temp 1 2;
  client_max_body_size 50M;
      
  #proxy_buffer_size 32k;
  #proxy_buffers 16 64k;
  #proxy_busy_buffers_size 128k;
  #proxy_temp_file_write_size 128k;

#	proxy_intercept_errors on;

  location / {
    proxy_pass $srv_addr;
    proxy_no_cache 1;
    proxy_cache_bypass 1;
    #proxy_pass_header Set-Cookie;
    #proxy_pass_header Host;
    proxy_set_header "Host" $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_temp_path /var/nginx/proxy_temp;
    client_body_temp_path /var/nginx/client_body_temp;
  }

  location ~* \.(js|css)$ {
    proxy_pass $srv_addr;
    proxy_no_cache 1;
    proxy_cache_bypass 1;
    #proxy_pass_header Set-Cookie;
    #proxy_pass_header Host;
    proxy_set_header "Host" $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_temp_path /var/nginx/proxy_temp;
    client_body_temp_path /var/nginx/client_body_temp;
    expires -1;
    proxy_cache_valid 0;
    proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
  }
}


nginx.conf file
user nginx;
worker_processes 16;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$host" "$remote_addr" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_names_hash_max_size 1024;
server_names_hash_bucket_size 512;
client_header_buffer_size 16k;
large_client_header_buffers 16 16k;
request_pool_size 512k;
client_body_buffer_size 4M;
#client_body_temp_path /tmp/nginx/client_temp 1 2;
#client_max_body_size 4000M;
server_tokens off;
gzip off;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 5;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_min_length 10k;
# gzip_types text/plain text/css text/javascript application/json application/x-javascript text/xml application/xml application/xml+rss;
#proxy_cache_path /var/nginx/cache-smartlearn levels=1:2 keys_zone=smartlearn:256m inactive=5d;
include /etc/nginx/conf.d/*.conf;
}

Having rummaged a little in the config and as I went to the resource, I noticed such an unhealthy thing: the keys that are in /etc/nginx/ssl/ are some kind of self-signed (released a month ago), as a result, browsers swear at an invalid certificate, https is crossed out.
So, the previous certificate that confuses me is self-signed. It was generated by means of linux, then converted into a format understandable for Windows and "fed" by IIS, so I see this picture when accessing the internal network and through the external one:
5cffa1c80d728709512679.png
Therefore, I vaguely understand that the certificate must still be issued by an organization that is trusted from the outside , so I found information about Let's Encrypt.
Please tell me how to issue a certificate from where and how to pass validation?
My rake:
1) At first I didn’t know that Nginx was between IIS and the Internet and started releasing for IIS, where, in fact, the resource lies through manual authentication on Let's Encrypt , I thought that the problem was that manual identification needed a file with an arbitrary character set, which is issued by the certificate authority and there is no extension in this file and you just had to edit the MIME types. But after adding the type, I followed the verification link to the specified path via http, and received an error from the certification authority. Now I understand that the certificate must be obtained through nginx?
2) I found https://club.directum.ru/post/178155 in the comments I intuitively like the way of the commentator Maxim Bulanov, but I don’t know if it’s right ...
3) Just in case, if the certificate really needs to be issued using nginx, I installed certbot according to this instruction , there is a manual on how to install it on an old server with ubuntu 12.04
wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto

But even I am in doubt how I will pass the validation using nginx if the site is on iis. Follow the commentator's instructions from point 2? Sorry for the questions, this is the first time I've come across this.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
V
Vladimir Skibin, 2019-06-11
@megafax

Just add

location ^~ /.well-known/acme-challenge/ {
  root /var/www/_letsencrypt;
}

to a directive with port 80. Thus, your IIS will not even know that it has a certificate (it does not need to). And the certbot verification files will be added to /var/www/_letsencrypt on an Ubuntu machine

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question