Apache ProxyPass with Let's Encrypt


#1

Hello All,

I am trying to install a certificate for https://mail.dfiel.com. When I try to use --apache I get this error:

Failed authorization procedure. mail.dfiel.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge

I am going to assume this is coming from the fact that this is a reverse proxy server. Each subdomain has ProxyPass rules to move most domains to my IIS server, but some to Exchange (this domain) and some special applications are routed elsewhere.

How can I use ProxyPass, but still complete the verification portion of Let’s Encrypt?

Thanks ahead,
Dfiel


#2

Hi, in this configuration I think DVSNI will never work so I would suggest using --webroot instead of --apache because it will use a challenge type that will work OK with a proxy. You’ll also have to specify a directory inside the webroot of your Apache server where the client can write files.


#3

What would the directpry configuration look like? I’m new to apache, im more of an nginx guy


#4

It’s just the “web root”, that is, whatever directory on your server is the top level for your site’s content (where the site’s main index.html or equivalent would go). It might be something like /var/www or /var/www/html, if you only have a single web site on that server.


#5

I should probably have said “a directory that is the webroot” rather than “a directory inside the webroot”!


#6

So would this work?

<VirtualHost *:*>
ProxyPreserveHost O

# Servers to proxy the connection, or;
# List of application servers:
# Usage:
# ProxyPass / http://[IP Addr.]:[port]/
# ProxyPassReverse / http://[IP Addr.]:[port]/
# Example:
ProxyPass / http://192.168.0.134:80/
ProxyPass /.well-known/acme-challenge/ !
ProxyPassReverse / http://192.168.0.134:80/

ServerName mail.dfiel.com

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>

#7

I think you’d want them in reverse. See the documention about the order: https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass