Creat new certificate failed on a proxy reverse

Hello everyone,
I encounter an issue during the first certificate generation of the domain name domo.serverdegamma.fr. I want to use this domain on a reverse proxy server in apache2 on the "server 1". This server proxy is used to redirect client to a raspberry pi 4 "server 2" in the local network where the apache server is installed. The website hosted on the raspierry pi 4 can be reach only in the local network throught an URL like http://my.domain.private:8080 (with "my.domain.private" associated to an ip address in /etc/hosts in the apache2 server). The proxy virtual host on the apache2 server is the following:

"<VirtualHost *:80>
ServerName domo.serveurdegamma.fr
ProxyPass / http://my.domain.private:8080/
ProxyPassReverse / http://my.domain.private:8080/
ProxyPreserveHost On
"

My first investigations:

  • I set up listening port on apache2 like this: 0.0.0.0:80 (disabling ipv6)
  • The Let's debug returned the following result: Let's Debug
  • I set up a root path for the proxy server like /var/myserver in case of the certbot needs a directory.
  • The domain name domo.serveurdegamma.fr is redirected to the correct ip address by dynhost on OVH CLOUD.
  • The proxy server is working and redirect all flow from domo.serveurdegamma.fr on the correct website hosted on the raspberry pi 4.

Do you have any idea of what kind of mistake I could have done?

Thank you by advance!

My domain is: domo.serveurdegamma.fr

I ran this command: sudo certbot

It produced this output:

"Failed authorization procedure. domo.serveurdegamma.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domo.serveurdegamma.fr/.well-known/acme-challenge/5trW4lqFRL8ne6H3cuXURFomftiMQuDD8ywo8q4cuOk [xxx.xxx.xxx.xxx]: 403

IMPORTANT NOTES:

My web server is (include version): apache/2.4.29

The operating system my web server runs on is (include version): ubuntu 18.04

My hosting provider, if applicable, is: private server

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.27.0

1 Like

I think your apache config on the reverse proxy is somehow interfering (or not interfering enough, and the requests just go to the raspberry pi ignoring the reverse proxy completely)

1 Like

I'm not sure exactly what your problem is, but certbot 0.27.0 is quite old. The latest release is certbot 1.26.0: Releases · certbot/certbot · GitHub.

It's worth spending time to update to a recent version of certbot. You can find instructions that will work on Ubuntu 18 here: Certbot Instructions | Certbot (found by going to certbot.eff.org, and selecting "I'm using" > "Apache", "on" > "Ubuntu 18".

3 Likes

Thank you for your feedback! I finaly solved the problem by adding a webroot on the proxy server to make sure that certbot can send his data to verifying the server authentification.

I also updated certbot the the version 1.26.0.

2 Likes

Excellent! Glad you solved the problem.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.