Certificiating behind a router

ConanMan

I have read https://docs.mailcow.email/post_installation/firststeps-ssl/

I am really concerned about how best to do mail server certification on a mail cow mail server that is behind a gateway on port 80

Mission: I want to remove this box

Inbound Port 80 is usually a 301 redirect to web traffic nginx server called gate on 443 (it redirects to itself on port 443 basically)
gate then sends the host traffic via a proxy_pass to a local lan vm - it looks like this:

this is gate server

server{
       listen 443 ssl;
       listen [::]:443 ssl;
       server_name domain.com;
       ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; # managed by Certbot
       ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem; # managed by Certbot
       include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
       ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
       ssl_session_cache shared:SSL:1m;
       location / {
               proxy_pass http://192.168.0.71;
               proxy_set_header Host $host;
       }
       error_page 404 /404.html;
               location = /40x.html {
       }
       error_page 500 502 503 504 /50x.html;
               location = /50x.html {
       }
  }
  server {
    listen 80;
    server_name domain.com;
    return 301 https://domain.com$request_uri;
     if ($host = domain.com) {
         return 301 https://$host$request_uri;
     } # managed by Certbot
 
     if ($host = www.domain.com) {
         return 301 https://$host$request_uri;
     } # managed by Certbot
    return 404; # managed by Certbot
 }

As you can see the actual internal traffic is port 80 to 192.168.0.71 but it is gate that hosts the ssl certificate and 192.168.0.71 has no idea about it - note this is for WEB traffic. I need to do “whatever mailcow wants” to allow this to validate and allow outlook to validate the certificate properly

this is 192.168.0.71

 server {
       listen 80;
       root /var/www/html;
       index index.php index.html index.htm;
       server_name domain.com;
       location / {
           try_files $uri $uri/ =404;
       }
       location ~ \.php$ {
           include snippets/fastcgi-php.conf;
           fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
       }
  }

Question: How do I get rid of that outlook popup box given that I cannot really alter this gateway servers’ role and responsibility

NB: If I need to buy and import a long-life certificate I am prepared to do this

mbh

Hi!
if you click on view certificate on the outlook popup box, what do you get?
M

esackbauer

Read this page carefully:
https://docs.mailcow.email/post_installation/reverse-proxy/r_p/