Error installing Certbot with Apache reverse proxy to NodeJS

My issue is related to this:
Nginx as reversed proxy with apache and nodejs. How to install SSL certificates?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: player.ottawakaraoke.com

I ran this command:
certbot
It produced this output:

 - The following errors were reported by the server:

   Domain: player.ottawakaraoke.com
   Type:   unauthorized
   Detail: Invalid response from
   http://player.ottawakaraoke.com/.well-known/acme-challenge/1zmdcYJGngrsiZVIfhBUxXgS3NZYTjuYKDs6P0N6wU4
   [216.127.169.108]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
apache
The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
secret cloud company
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
putty.exe
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
latest version

I'm thinking this is the best solution:

Alternatively, you can add an additional rule to your existing server block so that /.well-known/acme-challenge is served out of a directory on the filesystem, rather than being proxy_pass ed to a different server. In that case certbot --webroot would be able to work. Or you could add a rule that /.well-known/acme-challenge requests are proxy_pass ed to a different port and then use certbot --standalone --http-01-port followed by that port number.

Here is my virtual hosts file:


<VirtualHost *:*>
    ProxyPreserveHost On

    ProxyPass /api http://localhost:8003/
    ProxyPassReverse /api http://localhost:8003/

    ServerName player.ottawakaraoke.com
</VirtualHost>


<VirtualHost *:80>
        ServerName playlist.ottawakaraoke.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html


        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
            ProxyPass /api http://localhost:8003/api
    ProxyPassReverse /api http://localhost:8003/api

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet


```````````````````
1 Like

Hello @ianarman1,

I don't fully understand the reason to create two VirtualHosts but you could add a DocumentRoot directive to your first VirtualHost and ProxyPass directive to not proxy .well-known requests:

<VirtualHost *:*>
    ProxyPreserveHost On
    DocumentRoot /var/www/html
    ProxyPass /.well-known !
    ProxyPass /api http://localhost:8003/
    ProxyPassReverse /api http://localhost:8003/

    ServerName player.ottawakaraoke.com
</VirtualHost>


<VirtualHost *:80>
        ServerName playlist.ottawakaraoke.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        ProxyPass /.well-known !        
        ProxyPass /api http://localhost:8003/api
        ProxyPassReverse /api http://localhost:8003/api
</VirtualHost>

Reload apache, create a test file in /var/www/html/.well-known/acme-challenge/

mkdir -p /var/www/html/.well-known/acme-challenge/
echo "this is a test" > /var/www/html/.well-known/acme-challenge/test

and try to get that file with your browser http://player.ottawakaraoke.com/.well-known/acme-challenge/test

If you see the text "this is a test" then you can try again to get your cert with certbot, if not, apache conf should be checked again to know the reason is not using the right DocumentRoot.

Cheers,
sahsanu

1 Like

I have made the changes.

http://player.ottawakaraoke.com/.well-known/acme-challenge/test

I'm still receiving the following error:

 - The following errors were reported by the server:

   Domain: player.ottawakaraoke.com
   Type:   unauthorized
   Detail: Invalid response from
   http://player.ottawakaraoke.com/.well-known/acme-challenge/XtMJNPQMfOcSiFpGxHyxBRF3P7b1pI1e1E2Vx29Uq2o
   [216.127.169.108]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.


Should I remove the reverse proxy and just serve a temp file?

1 Like

Well, seems you got your cert:

1 Like

I removed the reverse proxy.

now i'm trying to add it back in again.

Hopefully there is better support for nodejs in the future.

You should not remove the proxy part because to renew the cert you will have the same problem if you don't solve it now. Also, keep in mind that you should add the Proxy part to the VirtualHost that is serving the port 443.

1 Like

The reverse proxy seems to be sending to NodeJS.

Although the website functioned fine without the reverse proxy.

However, when I tried to add the reverse proxy i received error too many redirects:

<VirtualHost *:*>
    ProxyPreserveHost On

    ProxyPass /api http://localhost:8003/
    ProxyPassReverse /api http://localhost:8003/

    ServerName player.ottawakaraoke.com
</VirtualHost>


<VirtualHost *:443>
        ServerName playlist.ottawakaraoke.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html


        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
            ProxyPass /api http://localhost:8003/api
    ProxyPassReverse /api http://localhost:8003/api



SSLCertificateFile /etc/letsencrypt/live/player.ottawakaraoke.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/player.ottawakaraoke.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf


RewriteEngine on
RewriteCond %{SERVER_NAME} =player.ottawakaraoke.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>




```````````````
1 Like

This was the config certbot gave me with the reverse proxy removed:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    DocumentRoot "/var/www/html"
    ServerName player.ottawakaraoke.com

    # Other directives here
SSLCertificateFile /etc/letsencrypt/live/player.ottawakaraoke.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/player.ottawakaraoke.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>


```````````````

This is working - although no reverse proxy
1 Like

This part should be on VirtualHost *:80 not in *:443 because it is creating a redirection loop.

1 Like

great job @sahsanu.

It's fun working with smart people like yourself.

here is my working config

<VirtualHost *:*>
    ProxyPreserveHost On

    ProxyPass /api http://localhost:8003/
    ProxyPassReverse /api http://localhost:8003/

    ServerName player.ottawakaraoke.com
</VirtualHost>


<VirtualHost *:443>
        ServerName playlist.ottawakaraoke.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html


        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
            ProxyPass /api http://localhost:8003/api
    ProxyPassReverse /api http://localhost:8003/api



SSLCertificateFile /etc/letsencrypt/live/player.ottawakaraoke.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/player.ottawakaraoke.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>



2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.