The right SSL certificate at the right layerSSL certificate rejected trying to access GitHub over HTTPS behind firewall“Public key certificate and private key doesn't match” when using Godaddy issued certificateThird-Party Signed SSL Certificate for localhost or 127.0.0.1?Getting Chrome to accept self-signed localhost certificateWhere could I buy a valid SSL certificate?Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?How to create a self-signed certificate with OpenSSLSSL over HAProxy issueHow to protect HAProxy SSL Certificates as a service?Do I need two SSL certs when using Cloudflare?
Why "Having chlorophyll without photosynthesis is actually very dangerous" and "like living with a bomb"?
Can a virus destroy the BIOS of a modern computer?
What is the word for reserving something for yourself before others do?
Stopping power of mountain vs road bike
Can I ask the recruiters in my resume to put the reason why I am rejected?
Western buddy movie with a supernatural twist where a woman turns into an eagle at the end
Why are electrically insulating heatsinks so rare? Is it just cost?
Is it inappropriate for a student to attend their mentor's dissertation defense?
Is there a hemisphere-neutral way of specifying a season?
UK: Is there precedent for the governments e-petition site changing the direction of a government decision?
SSH "lag" in LAN on some machines, mixed distros
Is it possible to create light that imparts a greater proportion of its energy as momentum rather than heat?
Why is it a bad idea to hire a hitman to eliminate most corrupt politicians?
How can I prevent hyper evolved versions of regular creatures from wiping out their cousins?
How to draw the figure with four pentagons?
Where does SFDX store details about scratch orgs?
Today is the Center
How to take photos in burst mode, without vibration?
Do I have a twin with permutated remainders?
What exploit are these user agents trying to use?
How to show the equivalence between the regularized regression and their constraint formulas using KKT
Theorems that impeded progress
Can I use a neutral wire from another outlet to repair a broken neutral?
Neighboring nodes in the network
The right SSL certificate at the right layer
SSL certificate rejected trying to access GitHub over HTTPS behind firewall“Public key certificate and private key doesn't match” when using Godaddy issued certificateThird-Party Signed SSL Certificate for localhost or 127.0.0.1?Getting Chrome to accept self-signed localhost certificateWhere could I buy a valid SSL certificate?Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?How to create a self-signed certificate with OpenSSLSSL over HAProxy issueHow to protect HAProxy SSL Certificates as a service?Do I need two SSL certs when using Cloudflare?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I have a web app which requires fairly stringent security. I already have a reasonably secure solution stack, including Cloudflare, HAProxy and Modsecurity. I'm getting close to getting my Dev environment ready for testing before I build out my Staging and Production environments.
I was keen to use a Cloudflare Origin SSL cert on my Load Balancer and Web Server but I've struck an issue.
I was keen to achieve Full (Strict) crypto via Cloudflare which means Cloudflare will validate the cert on each request. So I wanted to use a Cloudflare Origin cert in order to but looks like I can use a Cloudflare origin cert on my Load Balancer only because it's designed for Cloudflare to Origin data flow only, which would leave me having to buy a cert from a CA for my Webserver(s).
That's three SSL certs to cover the three SSL termination points:
End User --> Cloudflare (via Dedicated cert)
Cloudflare --> Load Balancer
Load Balancer --> Web Server
I tried installing the Origin cert on the Web Server but it was unable to verify the validity of that cert. I've even updated OpenSSL to the latest stable release (v1.1.1b) to ensure I can prepare for TLS 1.3.
So I can only think of two possible approaches:
End User --> Cloudflare (via Dedicated cert)
Cloudflare --> Load Balancer (via Cloudflare Origin cert)
Load Balancer --> Web Server (via DigiCert cert)
or
End User --> Cloudflare (via Dedicated cert)
Cloudflare --> Load Balancer (via Digicert cert)
Load Balancer --> Web Server (via Digicert cert)
I would appreciate anyone highlighting if I've missed anything important.
ssl cryptography ssl-certificate cloudflare
asked Mar 21 at 21:57
ChrisFNZChrisFNZ
549
add a comment |
I have a web app which requires fairly stringent security. I already have a reasonably secure solution stack, including Cloudflare, HAProxy and Modsecurity. I'm getting close to getting my Dev environment ready for testing before I build out my Staging and Production environments.
I was keen to use a Cloudflare Origin SSL cert on my Load Balancer and Web Server but I've struck an issue.
I was keen to achieve Full (Strict) crypto via Cloudflare which means Cloudflare will validate the cert on each request. So I wanted to use a Cloudflare Origin cert in order to but looks like I can use a Cloudflare origin cert on my Load Balancer only because it's designed for Cloudflare to Origin data flow only, which would leave me having to buy a cert from a CA for my Webserver(s).
That's three SSL certs to cover the three SSL termination points:
End User --> Cloudflare (via Dedicated cert)
Cloudflare --> Load Balancer
Load Balancer --> Web Server
I tried installing the Origin cert on the Web Server but it was unable to verify the validity of that cert. I've even updated OpenSSL to the latest stable release (v1.1.1b) to ensure I can prepare for TLS 1.3.
So I can only think of two possible approaches:
End User --> Cloudflare (via Dedicated cert)
Cloudflare --> Load Balancer (via Cloudflare Origin cert)
Load Balancer --> Web Server (via DigiCert cert)
or
End User --> Cloudflare (via Dedicated cert)
Cloudflare --> Load Balancer (via Digicert cert)
Load Balancer --> Web Server (via Digicert cert)
I would appreciate anyone highlighting if I've missed anything important.
ssl cryptography ssl-certificate cloudflare
asked Mar 21 at 21:57
ChrisFNZChrisFNZ
549
You've missed asking a question.
– Maarten Bodewes
Mar 22 at 11:48
add a comment |
I have a web app which requires fairly stringent security. I already have a reasonably secure solution stack, including Cloudflare, HAProxy and Modsecurity. I'm getting close to getting my Dev environment ready for testing before I build out my Staging and Production environments.
I was keen to use a Cloudflare Origin SSL cert on my Load Balancer and Web Server but I've struck an issue.
I was keen to achieve Full (Strict) crypto via Cloudflare which means Cloudflare will validate the cert on each request. So I wanted to use a Cloudflare Origin cert in order to but looks like I can use a Cloudflare origin cert on my Load Balancer only because it's designed for Cloudflare to Origin data flow only, which would leave me having to buy a cert from a CA for my Webserver(s).
That's three SSL certs to cover the three SSL termination points:
End User --> Cloudflare (via Dedicated cert)
Cloudflare --> Load Balancer
Load Balancer --> Web Server
I tried installing the Origin cert on the Web Server but it was unable to verify the validity of that cert. I've even updated OpenSSL to the latest stable release (v1.1.1b) to ensure I can prepare for TLS 1.3.
So I can only think of two possible approaches:
End User --> Cloudflare (via Dedicated cert)
Cloudflare --> Load Balancer (via Cloudflare Origin cert)
Load Balancer --> Web Server (via DigiCert cert)
or
End User --> Cloudflare (via Dedicated cert)
Cloudflare --> Load Balancer (via Digicert cert)
Load Balancer --> Web Server (via Digicert cert)
I would appreciate anyone highlighting if I've missed anything important.
ssl cryptography ssl-certificate cloudflare
asked Mar 21 at 21:57
ChrisFNZChrisFNZ
549
I have a web app which requires fairly stringent security. I already have a reasonably secure solution stack, including Cloudflare, HAProxy and Modsecurity. I'm getting close to getting my Dev environment ready for testing before I build out my Staging and Production environments.
I was keen to use a Cloudflare Origin SSL cert on my Load Balancer and Web Server but I've struck an issue.
I was keen to achieve Full (Strict) crypto via Cloudflare which means Cloudflare will validate the cert on each request. So I wanted to use a Cloudflare Origin cert in order to but looks like I can use a Cloudflare origin cert on my Load Balancer only because it's designed for Cloudflare to Origin data flow only, which would leave me having to buy a cert from a CA for my Webserver(s).
That's three SSL certs to cover the three SSL termination points:
End User --> Cloudflare (via Dedicated cert)
Cloudflare --> Load Balancer
Load Balancer --> Web Server
I tried installing the Origin cert on the Web Server but it was unable to verify the validity of that cert. I've even updated OpenSSL to the latest stable release (v1.1.1b) to ensure I can prepare for TLS 1.3.
So I can only think of two possible approaches:
End User --> Cloudflare (via Dedicated cert)
Cloudflare --> Load Balancer (via Cloudflare Origin cert)
Load Balancer --> Web Server (via DigiCert cert)
or
End User --> Cloudflare (via Dedicated cert)
Cloudflare --> Load Balancer (via Digicert cert)
Load Balancer --> Web Server (via Digicert cert)
I would appreciate anyone highlighting if I've missed anything important.
ssl cryptography ssl-certificate cloudflare
ssl cryptography ssl-certificate cloudflare
asked Mar 21 at 21:57
ChrisFNZChrisFNZ
549
asked Mar 21 at 21:57
ChrisFNZChrisFNZ
549
asked Mar 21 at 21:57
ChrisFNZChrisFNZ
549
asked Mar 21 at 21:57
ChrisFNZChrisFNZ
549
asked Mar 21 at 21:57
ChrisFNZChrisFNZ
549
549
You've missed asking a question.
– Maarten Bodewes
Mar 22 at 11:48
add a comment |
You've missed asking a question.
– Maarten Bodewes
Mar 22 at 11:48
You've missed asking a question.
– Maarten Bodewes
Mar 22 at 11:48
You've missed asking a question.
– Maarten Bodewes
Mar 22 at 11:48
add a comment |
1 Answer
1
active
oldest
votes
Certs commonly contain the web server DNS as "common name". You need to make things compatible with that; that indeed means either installing an additional trust point on your load balancer or getting a "real" certificate.
Generally your end points can use a single certificate to identify themselves. The problem is that currently you are using certificates for which no trust chain can be build at the various end points. You can of course solve this by buying a cert for which a chain can be build (e.g. from a commercial CA). You can however generally also update the trust store to include additional certificates, so that a chain of trust can be build. In that case you can use your own certificates; it is your infrastructure after all.
What you don't want to do is to use the leaf certificates on multiple machines, as that would imply that you copy the private key to more machines. The security of the machines should be separate, so if you start copying PKCS#12 files you might want to rethink your key management solution (and if you don't have an explicit KM solution then this would be the right time).
answered Mar 22 at 11:56
Maarten BodewesMaarten Bodewes
63.5k1184177
Thank you, most of that makes sense. I suppose my concern was that the same FQDN needs to be serviced by three layers, each with a different IP. (1) Cloudflare) resolves the FQDN to a public IP on their own network. (2) Cloudflare then routes traffic to the public IP of the *load balancer (which only accepts traffic from Cloudflare's public IP ranges) (3) Load balancer then routes traffic from it's internal IP to the internal IP of the Web Server(s).
– ChrisFNZ
Mar 23 at 11:32
The IP addresses don't matter much; it seems that most TLS implementations don't do reverse lookup, so as long as the domain name points to the right location for each of the services then you're OK. A well configured, secure DNS is always recommendable, of course.
– Maarten Bodewes
Mar 23 at 15:40
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55289877%2fthe-right-ssl-certificate-at-the-right-layer%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Certs commonly contain the web server DNS as "common name". You need to make things compatible with that; that indeed means either installing an additional trust point on your load balancer or getting a "real" certificate.
Generally your end points can use a single certificate to identify themselves. The problem is that currently you are using certificates for which no trust chain can be build at the various end points. You can of course solve this by buying a cert for which a chain can be build (e.g. from a commercial CA). You can however generally also update the trust store to include additional certificates, so that a chain of trust can be build. In that case you can use your own certificates; it is your infrastructure after all.
What you don't want to do is to use the leaf certificates on multiple machines, as that would imply that you copy the private key to more machines. The security of the machines should be separate, so if you start copying PKCS#12 files you might want to rethink your key management solution (and if you don't have an explicit KM solution then this would be the right time).
answered Mar 22 at 11:56
Maarten BodewesMaarten Bodewes
63.5k1184177
Thank you, most of that makes sense. I suppose my concern was that the same FQDN needs to be serviced by three layers, each with a different IP. (1) Cloudflare) resolves the FQDN to a public IP on their own network. (2) Cloudflare then routes traffic to the public IP of the *load balancer (which only accepts traffic from Cloudflare's public IP ranges) (3) Load balancer then routes traffic from it's internal IP to the internal IP of the Web Server(s).
– ChrisFNZ
Mar 23 at 11:32
The IP addresses don't matter much; it seems that most TLS implementations don't do reverse lookup, so as long as the domain name points to the right location for each of the services then you're OK. A well configured, secure DNS is always recommendable, of course.
– Maarten Bodewes
Mar 23 at 15:40
add a comment |
Certs commonly contain the web server DNS as "common name". You need to make things compatible with that; that indeed means either installing an additional trust point on your load balancer or getting a "real" certificate.
Generally your end points can use a single certificate to identify themselves. The problem is that currently you are using certificates for which no trust chain can be build at the various end points. You can of course solve this by buying a cert for which a chain can be build (e.g. from a commercial CA). You can however generally also update the trust store to include additional certificates, so that a chain of trust can be build. In that case you can use your own certificates; it is your infrastructure after all.
What you don't want to do is to use the leaf certificates on multiple machines, as that would imply that you copy the private key to more machines. The security of the machines should be separate, so if you start copying PKCS#12 files you might want to rethink your key management solution (and if you don't have an explicit KM solution then this would be the right time).
answered Mar 22 at 11:56
Maarten BodewesMaarten Bodewes
63.5k1184177
Thank you, most of that makes sense. I suppose my concern was that the same FQDN needs to be serviced by three layers, each with a different IP. (1) Cloudflare) resolves the FQDN to a public IP on their own network. (2) Cloudflare then routes traffic to the public IP of the *load balancer (which only accepts traffic from Cloudflare's public IP ranges) (3) Load balancer then routes traffic from it's internal IP to the internal IP of the Web Server(s).
– ChrisFNZ
Mar 23 at 11:32
The IP addresses don't matter much; it seems that most TLS implementations don't do reverse lookup, so as long as the domain name points to the right location for each of the services then you're OK. A well configured, secure DNS is always recommendable, of course.
– Maarten Bodewes
Mar 23 at 15:40
add a comment |
Certs commonly contain the web server DNS as "common name". You need to make things compatible with that; that indeed means either installing an additional trust point on your load balancer or getting a "real" certificate.
Generally your end points can use a single certificate to identify themselves. The problem is that currently you are using certificates for which no trust chain can be build at the various end points. You can of course solve this by buying a cert for which a chain can be build (e.g. from a commercial CA). You can however generally also update the trust store to include additional certificates, so that a chain of trust can be build. In that case you can use your own certificates; it is your infrastructure after all.
What you don't want to do is to use the leaf certificates on multiple machines, as that would imply that you copy the private key to more machines. The security of the machines should be separate, so if you start copying PKCS#12 files you might want to rethink your key management solution (and if you don't have an explicit KM solution then this would be the right time).
answered Mar 22 at 11:56
Maarten BodewesMaarten Bodewes
63.5k1184177
Certs commonly contain the web server DNS as "common name". You need to make things compatible with that; that indeed means either installing an additional trust point on your load balancer or getting a "real" certificate.
Generally your end points can use a single certificate to identify themselves. The problem is that currently you are using certificates for which no trust chain can be build at the various end points. You can of course solve this by buying a cert for which a chain can be build (e.g. from a commercial CA). You can however generally also update the trust store to include additional certificates, so that a chain of trust can be build. In that case you can use your own certificates; it is your infrastructure after all.
What you don't want to do is to use the leaf certificates on multiple machines, as that would imply that you copy the private key to more machines. The security of the machines should be separate, so if you start copying PKCS#12 files you might want to rethink your key management solution (and if you don't have an explicit KM solution then this would be the right time).
answered Mar 22 at 11:56
Maarten BodewesMaarten Bodewes
63.5k1184177
answered Mar 22 at 11:56
Maarten BodewesMaarten Bodewes
63.5k1184177
answered Mar 22 at 11:56
Maarten BodewesMaarten Bodewes
63.5k1184177
answered Mar 22 at 11:56
Maarten BodewesMaarten Bodewes
63.5k1184177
63.5k1184177
Thank you, most of that makes sense. I suppose my concern was that the same FQDN needs to be serviced by three layers, each with a different IP. (1) Cloudflare) resolves the FQDN to a public IP on their own network. (2) Cloudflare then routes traffic to the public IP of the *load balancer (which only accepts traffic from Cloudflare's public IP ranges) (3) Load balancer then routes traffic from it's internal IP to the internal IP of the Web Server(s).
– ChrisFNZ
Mar 23 at 11:32
The IP addresses don't matter much; it seems that most TLS implementations don't do reverse lookup, so as long as the domain name points to the right location for each of the services then you're OK. A well configured, secure DNS is always recommendable, of course.
– Maarten Bodewes
Mar 23 at 15:40
add a comment |
Thank you, most of that makes sense. I suppose my concern was that the same FQDN needs to be serviced by three layers, each with a different IP. (1) Cloudflare) resolves the FQDN to a public IP on their own network. (2) Cloudflare then routes traffic to the public IP of the *load balancer (which only accepts traffic from Cloudflare's public IP ranges) (3) Load balancer then routes traffic from it's internal IP to the internal IP of the Web Server(s).
– ChrisFNZ
Mar 23 at 11:32
The IP addresses don't matter much; it seems that most TLS implementations don't do reverse lookup, so as long as the domain name points to the right location for each of the services then you're OK. A well configured, secure DNS is always recommendable, of course.
– Maarten Bodewes
Mar 23 at 15:40
Thank you, most of that makes sense. I suppose my concern was that the same FQDN needs to be serviced by three layers, each with a different IP. (1) Cloudflare) resolves the FQDN to a public IP on their own network. (2) Cloudflare then routes traffic to the public IP of the *load balancer (which only accepts traffic from Cloudflare's public IP ranges) (3) Load balancer then routes traffic from it's internal IP to the internal IP of the Web Server(s).
– ChrisFNZ
Mar 23 at 11:32
Thank you, most of that makes sense. I suppose my concern was that the same FQDN needs to be serviced by three layers, each with a different IP. (1) Cloudflare) resolves the FQDN to a public IP on their own network. (2) Cloudflare then routes traffic to the public IP of the *load balancer (which only accepts traffic from Cloudflare's public IP ranges) (3) Load balancer then routes traffic from it's internal IP to the internal IP of the Web Server(s).
– ChrisFNZ
Mar 23 at 11:32
The IP addresses don't matter much; it seems that most TLS implementations don't do reverse lookup, so as long as the domain name points to the right location for each of the services then you're OK. A well configured, secure DNS is always recommendable, of course.
– Maarten Bodewes
Mar 23 at 15:40
The IP addresses don't matter much; it seems that most TLS implementations don't do reverse lookup, so as long as the domain name points to the right location for each of the services then you're OK. A well configured, secure DNS is always recommendable, of course.
– Maarten Bodewes
Mar 23 at 15:40
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55289877%2fthe-right-ssl-certificate-at-the-right-layer%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
You've missed asking a question.
– Maarten Bodewes
Mar 22 at 11:48