Backend with self-signed certificate

4/28/2018

I'm building a website with separated backend / frontend. For now this website is hosted on my Kubernetes cluster at home. There is one pod for the frontend and another for the backend.
Theses pods are accessible via Traefic. I have internal DNS name (ie backend.home.local and frontend.home.local) to access it. I have generated a self-signed CA that handle the SSL on my .home.local private domain so I can reach them in my private network from my computer which have registered my private CA.

My frontend communicates with my backend also via HTTPS using the same url ( in .home.local). My frontend knows the CA (I proceeded like here).

I also have an external domain name pointing on my frontend. I can access on it via HTTPS without trouble outside and inside my network.

Ok so far so good. My issue is that when I access to my frontend via my external domain name, my frontend succeed to communicate with the backend when I'm using a computer which have registered my private CA but it fails with a err_cert_authority_invalid when I'm using a computer without my CA.

I understand by that the end user have to have the CA of all resources of the website, else the browser throw an error, even if the frontend initiate an other SSL connection with the backend with its own the CA.

I also tries to deactivate https between the frontend and the backend but this time I have mixed contents error ... not better.

Do I inevitably have to have a backend accessible from outside with a proper let's encrypt certificate ? I would prefer have a backend not accessible via outside but I don't know if I can do that properly.

I hope this post is not too messy. Have a good day.

-- matthieugouel
https
kubernetes
ssl
vue.js

1 Answer

4/28/2018

Do I inevitably have to have a backend accessible from outside with a proper let's encrypt certificate ?

Yes, that is the case. This does not necessarily mean you have to change your backend service, you can do SSL termination for your backend through traefik. Setting up Let's Encrypt through traefik is fully automated process, it should be fairly easy.

Think about it - HTTPS is not just a "nice to have" feature, it is essential for security. All communication over public networks should only be done securely.

-- spawnia
Source: StackOverflow