-1

I am having some troubles installing my SSL certificate.

Here is the situtation: I have baught a certificate for the domain client.lexcelera.com. The problem is that client.lexcelera.com is redirected to our livebox IP via a WAN connection. So when I install the cetificate on our server (which is a local one), I have a certificate mismatch error.

I am using aol server on a CentOs 6.4 server. We are using pound to listen to the ports.

Here is pound.cfg file:

ListenHTTP
        Address 0.0.0.0
        Port    85 
End

ListenHTTPS
        Address 0.0.0.0
        Port    443
        Cert    "/etc/ssl/certs/server.pem"
        Service
                HeadRequire "Host:\s*client\.lexcelera\.com.*"
                BackEnd
                        Address 80.15.156.1
                        Port    8000
                End
        End
End

(80.15.156.1 is the livebox IP)

I'm not sure what I'm supposed to do in this case. Any idea?

Thanks!

Simon
  • 337
  • 1
  • 3
  • 11

1 Answers1

0

It sounds like pound is acting as a reverse proxy. If so, you would only install the public certificate on the server hosting pound - not on the backend server. In fact, it would be quite common to use HTTP without ssl for the backend connection.

If you do require transport security between your proxy and the backend, you should use a second self signed certificate trusted by the proxy.

As a third but unnecessarily complicated option, you could use split brain DNS, but such a thing would be only rarely advisable.

Mitch
  • 21,223
  • 6
  • 63
  • 86
  • Thank you for your answer. The hosting server is local. The client.lexcelera.com is for the customers to access a service online of our application via a DNS redirect on OVH. Is a SSL certificate not needed in this case? – Simon Nov 14 '18 at 08:35
  • If the backend server and the proxy server are on a trusted network, then I would only use HTTPs between the client and proxy and use HTTP between the proxy and backend server. If you are dealing with a threat model where a bad actor could compromise your local network, then I would use a self-signed certificate for the backend server. – Mitch Nov 14 '18 at 19:24
  • Ok I see, thank you for the details. So in case I end up having to set up the self-signed certificate for the backend server, then I would need to do it for OpenMat.lexcelera.local, right, not client.lexcelera.com? – Simon Nov 15 '18 at 11:23