Target:
- ~15 http-webservices running on Mikrotik (
/container) and a docker server (due to performance) - all ~15 http-webservices are http and shall be https INSIDE the LAN = inner RevProxy on MT shall secure services from MT itself AND(!) the docker server.
- only 5 of them shall be exposed to WAN via DMZ RevProxy. The DMZ RevPorxy will access all exposed services via the single source of the Inner RevProxy on MT
- A simple and modern and professional solution for certs for the next 10 years
Situation:
- outer Router (in my case: FritzBox) at VDSL
- Port Forwarding 80 + 443 to DMZ RevProxy
- inner Router Mikrotik RB3011 (ASAP future RB6xxx
)
- VLAN, Wifi/CAPsMAN,...
/container: Service with and w/o WebUI e.g. mosquitto, pihole, influxDB, Grafana,...- INNER RevProxy (just for making https out of all http) e.g. HAproxy, Caddy or traefik as
/container
- in between DMZ with RevProxy: Traefik with LE (automatic renew) for ~ 5 subdomains
- in one VLAN: Proxmox Server -> VM Ubuntu -> Docker
- Docker Services with WebUI e.g. Wiki, nextcloud, esphome, code-server, forgejo...
Short: Fritzbox <=> DMZ RevProxy <=> Mikrotik (with http-WebSevrices + INNER RevProxy for http2https) <=> VLANs --> Server (with http-Webservices)
In the past ~ 10Y I decided for haveing a VM just for: Generating an own CA, generating own certifcates for all internal server, client certificates for the DMZ RevProxy,... If you don't do this daily it's hard to keep this maintained and updated = no solution for the future.
Future: I like it simple. In addition to LE via DMZ RevProxy: I'd like to depend on Mikrotik only for all Cert needs. Or something else (XCA?) if it makes more sense. One Instance for all. And fully automated. For all other servers I don't need certs anymore.
Questions:
- Note: I'm good with the DMZ RevProxy + LE. It works and fits to my requirements.
- Inner RevProxy: Certificates
- A) Is it possible and/or does it make sense to use LE "somehow" for the INNER services as well for http2https? If yes: How? Is it one LE of my 5 subdomains or an additional LE? Any link to a manual? Spoiler: In my understanding LE is absolutly not designed for internal IP/servers. But maybe I'm wrong.
- B) Mikrotik as CA and with server cert. Would add the CA to all Browsers as trusted.
- C) Alternative installed somehow on MT (
/container)? Or in a Proxmox VM?- xca
- Smallstep
- mkcert
- ...?
Does those solutions make something worthful better then Mikrotik Cert solution?
- What is recommended for "simple and reliable and automated"? If B) is the one-fits-it-all I'm happy...
- In any solution:
- How do I get the certs to the Inner RevProxy (frequently and automated)?
- it must be stored in files for that? Which cert and how? I tried it for HAproxy and failed.
- on my Mikrotik I alreday created a CA and a server cert in the past. Anyway I can't create
/containerwithcheck-certificates=yes; it always fails. Why?
- I assume with this MT certs I can access other server via SSH w/o PW, right?
- SCEP is designed for PKI managment of clients and server. Can SCEP help me "somehow" for my target/questions?
Thank you for opinions, support, links, manuals and hints