Hiawatha Reverse Proxy - success ;o)


#1

I am testing on Alpine Linux with Hiawatha as a Reverse Proxy inside lxc.

I have self-signed certificates created in PEM format.

The following settings for the challenge directory work for a Hiawatha Reverse Proxy:

VirtualHost {
    Hostname .........
    Alias = /.well-known/acme-challenge:/var/www/letsencrypt/.well-known/acme-challenge
    TLScertFile = /path/to/key.pem
    ReverseProxy !^/.well-known/ http://xxxxxxxx:80 keep-alive
}

For testing the webroot method I used

letsencrypt certonly --debug --staging --agree-tos --text --email $email --webroot -w $webroot -d $domain -d www.$domain

For a normal certificate:

letsencrypt certonly --debug --agree-tos --text --email $email --webroot -w $webroot -d $domain -d www.$domain

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/xxxxxxxxxxx/fullchain.pem. Your
   cert will expire on 2016-04-18. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

I have put some more notes here for Hiawatha & NGINX as reverse proxy or standalone webservers with letsencrypt


#2

The dns-01 challenge isn’t in production yet ánd isn’t supported yet by the official client as far as I know. You can ignore warnings about it :slightly_smiling:

But I think the problem is your whole server isn’t reachable from the internet. The IP it resolves to (62.113.213.133) isn’t pingable and port 80 and 443 seem to be closed:

osiris@desktop ~ $ telnet web2.it-offshore.co.uk 80
Trying 62.113.213.133...
telnet: connect to address 62.113.213.133: Connection refused
osiris@desktop ~ $ telnet web2.it-offshore.co.uk 443
Trying 62.113.213.133...
telnet: connect to address 62.113.213.133: Connection refused
osiris@desktop ~ $

So I guess you have a firewall or, most likely if you’re saying things like NAT loopback and the sorts a portmap problem?


#4

Open open… I dunno, not from The Netherlands anyway… No connection refused error anymore, but now I got this:

osiris@desktop ~ $ telnet web2.it-offshore.co.uk 443
Trying 62.113.213.133...
telnet: connect to address 62.113.213.133: Connection timed out
osiris@desktop ~ $ telnet web2.it-offshore.co.uk 80
Trying 62.113.213.133...
telnet: connect to address 62.113.213.133: Connection timed out
osiris@desktop ~ $

#5

The same from the UK - can’t connect on 443 or 80


#6

Yes it was the firewall being too strict - many thanks for testing @serverco / @Osiris