I am trying to configure Certificate Expiry to monitor some of my server’s certificate’s expiration.
These servers are remote, not on the same local network as my HA. I am using Cloudflare to ‘protect’ the websites hosted on these servers and set up Strict SSL for them (with proxying DNS). This means that the HTTPS connection is terminated on CF’s server and another is created from CF to my server. I am looking for the certificate expiration for the second connection.
If I enter the original hostname, HA would show the expiration for the certificate from CF and not my certificate.
A solution would be to configure Certificate Expiry with the IP address, but it results in an error: IP address mismatch, certificate is not valid for ‘123.123.123.123’.
Is there any way to work around this? I did not see any option to override these type of errors.
You’re talking about the origin certificates? I mean…those are usually good for like 10-15 years. Why are you trying to monitor it? If you’re doing something else your best bet is to try to take advantage of the API, though I don’t know how you’d do it.
The problem that if I put the IP to the Certificate Expiry, I get an error: IP address mismatch, certificate is not valid for ‘123.123.123.123’. Which is a valid error, still I would like to suppress it.
Do you have a way to do a DNS re-write on your network? Like if you’re using Adblock or Pi-hole they both make that pretty easy. I believe there is also a way to do it specifically on that one machine but I haven’t done that in a while.
If you can do a DNS re-write within your network then you can set it so DNS lookups for are re-written to 123.123.123.123 within your network. This way any calls to your public domain from within your network never actually leave your network and instead stay local. Also since its a re-write the call domain still matches the certificate in the request so you won’t get errors either.
Another option would be to use the NGinx Proxy Manager add-on and let it manage the certificates. It has built-in auto-refresh capabilities for the certificates you get with it so then you just wouldn’t have to worry about expiration anymore.
Out of curiosity, why don’t you want to use the origin certificate? I found it pretty handy myself. Is there an issue I’m not aware of keeping you from wanting to use it?
DNS rewrite is a good idea, thought about it. Generally speaking I would like to go through CF every time I am connecting to the server, but I guess changing this only in the HA’s network would not be a big deal.
Certificates are updated automatically already, this serves as a backup plan to see if something goes wrong.
I did not want to go with the origin certificates because of separation. If I would like to move away from CF, the only thing I have to do is change the nameservers on my domain.
