Acquire and install certs on reverse proxy server configuration

Thought others might find these notes helpful. I have a reverse proxy between the firewall and the actual server delivering content. nothing except the manual installation described here worked.

cert installation notes

from beta invite----------------
Greetings from Let’s Encrypt, jlmagee@mageenet.net.

Thank you for your interest in our beta program! We’re excited to let you know that your domains (below) have been whitelisted, and you can now utilize an ACME client to obtain a certificate for them.

Quick Start

To use Let’s Encrypt’s official client to obtain your real certificates, you will need to provide the production API URL on the command line:

xxxxs://acme-v01.api.letsencrypt.org/directory
When running the Python client (installation directions [1]), be sure to specify the --server argument as shown below:

git clone xxxxs://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --agree-dev-preview --server
xxxxs://acme-v01.api.letsencrypt.org/directory certonly
If you are using a different ACME client, be sure to configure it to use the production URL in order to get valid certificates. Many clients will default to the staging URL.

used this command eventually-----------------------------------
./letsencrypt-auto -v --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly
-a manual -d mydomain.com -d www.mydomain.com

Note that a port 443 Virtual Host is required even before the certs are installed

the -a manual allows cert creation without managing HTTP(S) on the real server
it requires manual creation of verification files, one for each domain, that may be served by the target domains
these files must be served with

  • Content-Type text/plain and NO Charset
    cat /var/www/mydomain/.well-known/acme-challenge/.htaccess
    Header set Content-Type "text/plain"
    AddDefaultCharset Off
    and in the Virtual Host on the Proxy
    AddDefaultCharset Off
    **********Note that on the Virtual Host on the Proxy this affects all files so one would only want to have it on during the certificate creation
  • No trailing \n
    perl -pi -e ‘chomp if eof’ /var/www/mydomain/.well-known/acme-challenge/uZzG04GkX5…
    **********Consider virtual directory structures on the Proxy for /.well-known/acme-challenge/ files

When done carefully enough, this results in the required cert files in
ls -alvshrt /etc/letsencrypt/live/mydomain.com/
total 0
0 drwx------. 3 root root 27 Nov 5 07:17 …
0 lrwxrwxrwx. 1 root root 41 Nov 5 08:11 privkey.pem -> …/…/archive/mydomain.com/privkey2.pem
0 lrwxrwxrwx. 1 root root 43 Nov 5 08:11 fullchain.pem -> …/…/archive/mydomain.com/fullchain2.pem
0 lrwxrwxrwx. 1 root root 39 Nov 5 08:11 chain.pem -> …/…/archive/mydomain.com/chain2.pem
0 lrwxrwxrwx. 1 root root 38 Nov 5 08:11 cert.pem -> …/…/archive/mydomain.com/cert2.pem
0 drwxr-xr-x. 2 root root 75 Nov 5 08:11 .

for apache configuration

SSLEngine on
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/chain.pem

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS”

*****************probably want to copy the certs to some other directory structure so the live ones won’t be overwritten during a renewal
*****************certs are good for 90 days with renewal recommended at 60(1?) days

2 Likes

did you try to reverse proxy the requests to a different port on the server running letsencrypt?
as mentioned here LE client needs to bind to port 80, which I'm already using but with the server name of the machine running the letsencrypt client instead of localhost…

1 Like

I did not try this. It is worth noting that this is not a dedicated reverse proxy but one with many Virtual Host definitions. The configuration would need to be specific to the virtual host for which the cert is being requested or perhaps to some ephemeral VH.

It would be easier improve the process I used if all of the options were documented somewhere.

If you have several virtual hosts you may easily put the ProxyPass, ProxyPassReverse and Location directives into the definition of the virtual host that you want to request a cert for.
Actually it’s just copying the whole block not into /etc/apache2/mods-enabled/proxy.conf but into your VirtualHost directive, right?

I’m using apache httpd on CentOS 7.

So, it turns out I can use the webroot method of certificate acquisition using the following configuration and no manual intervention during the letsencrypt-auto process

In the port 80 VirtualHost

    ProxyPass /.well-known !
    Alias /.well-known "/var/www/.well-known"
    <Directory "/var/www/.well-known">
        Require all granted
        order allow,deny
        allow from all
        AllowOverride All
        AddDefaultCharset Off
        Header set Content-Type "text/plain"
    </Directory>

And this command

./letsencrypt-auto -v --text --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly -a webroot --webroot-path /var/www -d mydomain.tld

Then set up the port 443 VirtualHost with these directives, as an example, and it is all done

    SSLEngine on
    SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.tld/privkey.pem
    SSLCertificateFile /etc/letsencrypt/live/mydomain.tld/cert.pem
    SSLCertificateChainFile /etc/letsencrypt/live/mydomain.tld/chain.pem

    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
3 Likes

yup webroot authentication for such is the best way :slight_smile: