Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

Using Domino CertMgr with NGINX & Co

Daniel Nashed  31 December 2021 15:03:16

Domino CertMgr is easy to use and shows all the certificates in a moder UI.  Most other ACME solutions are quite cryptic and mainly command line oriented.
Also you might want to operate CertMgr with ACME HTTP-01 challenges behind a load balancer, reverse proxy etc.

I took a look this morning and came up with some simple redirect rules first:

Redirect HTTP to HTTPS on NGINX or other load-balancers

The following config redirects all standard traffic from HTTP to HTTS.
And the ACME HTTP-01 challenge is redirected to your CertMgr server.
The server can be on the same or any other machine. And the target can be HTTPS with any type of certificate -- ACME validation does not check existing certs.
Only the challenge is validated -- as long the connection can be established.


You can add this to existing HTTPS configurations to allow ACME-01 challenges and also ensure users are conveniently redirected to HTTPS if HTTP is requested, without opening HTTP (port 80) on any Domino server.


  # Port 80 is redirected to 443. Only ACME challenges are redirected to CertMgr server.

    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;

        location /.well-known/acme-challenge/ {
            return 301 https://certmgr.acme.com$request_uri;
        }

        location / {
            return 301 https://$host$request_uri;
        }
    }

TLS configuration with CertMgr certs

Now that we took care of redirecting challenges and HTTP traffic, what about using certificates created on CertMgr on your external host as well?
It could be a certificate from Let's Encrypt requested by the flow we just established -- redirecting ACME HTTP-01 challenges to another server.

Or it could be even a wildcard cert confirmed by ACME DNS-01 challenges.


Here is the documentation I came up with. If you have questions, feedback or ideas, let me know.
https://github.com/HCL-TECH-SOFTWARE/domino-cert-manager/blob/main/docs/external_cfg.md

It contains links to a full TLS NGINX example configuation:
https://github.com/HCL-TECH-SOFTWARE/domino-cert-manager/blob/main/examples/nginx/nginx.conf

And also to an update script with the logic described in the referenced document.
https://github.com/HCL-TECH-SOFTWARE/domino-cert-manager/blob/main/examples/nginx/cert_upd_nginx.sh

This integration allows you to update certificates automatically once you have deployed an exportable key from CertMgr.

I blogged about similar flows before. But this is now a complete example with the widely used NGINX.

-- Daniel


Comments
No Comments Found

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]