503 Error with Apache Reverse Proxy

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
vault.legacyknights.org

It produced this output:
503 Unavailable server


I am setting up an on-prem password manager which uses an install script that includes Letsencrypt. I already have a CentOS 7 Apache reverse proxy handling several other domains to several backend servers.

My reverse proxy already is running Letsencrypt, with the SSL folders mapped to one of the backend web servers in order to use the certificates.

This new password manager server I am setting up runs Letsencrypt during the install script, so I can’t duplicate what I’ve done before. It almost acts like the return request on port 80 is stopping at the proxy, even though I have the config setup to not do that.

Here is my edited virtual host config on my reverse proxy, any ideas?
<VirtualHost *:80>
ServerAdmin support@legacyknights.org
ProxyPreserveHost on

ServerName vault.legacyknights.org

ErrorLog logs/error.log
CustomLog logs/access.log combined

LogLevel error

<Location />
ProxyPass http://x.x.x.x/
ProxyPassReverse http://x.x.x.x/
Order allow,deny
Allow from outbound1.letsencrypt.org
Allow from outbound2.letsencrypt.org
</Location>
ProxyRequests on
</VirtualHost>

Hi @bholland

that’s

a closed element, so the location definition is empty.

Use

<Location>

Hi, @bholland,

Unfortunately, just allowing outbound1 and outbound2 won’t work for our staging environment, and might also be a problem with our production environment in the future. This is because of our multiple vantage point validation rollout.

1 Like

Thank you for your reply. Unfortuantely Apache won’t let me make that change. I must have at least the forward slash otherwise it errors when applying the config.

JamesLE, are there other FQDNs that I and add to that list? I don’t want a flood of attempts on port 80 to that server, I want to restrict it for only Letsencrypt.

Unfortunately not: I don’t think we’re planning to publish a predictable list of endpoints. What I usually do is restrict untrusted IPs to /.well-known/acme-challenge, which should only contain harmless static files. For high-security deployments, the DNS-01 challenge might be a good alternative.

1 Like

OK, I don’t know yet why this worked, but I commented out the entire section, and moved the Proxypass lines outside of it. I did add a forward slash before http.

ProxyPass / http://x.x.x.x/
ProxyPassReverse / http://x.x.x.x/

Letsencrypt was successfull in establishing a certificate. Thank you everyone for your help!