How to configure letsencrypt and a reverse proxy


#1

First of all, I apologize for the misleading title. I purposefully omitted a question mark. This is not a how-to guide, more of a request for one.

Now, if you’re still here and not mad at me:

Does such a guide exist? I’m a dabbler. I just recently discovered letsencrypt and got my first ever green https-thingy for one of my projects. Then I had the excellent idea to use https for more sites. Maybe 4-5 in total. All hobby project of mine and my friends. They all reside behind the same public IP, and on a collection of 4 different web servers.

I have two problems here. First of all I have no experience of a reverse proxy at all. Secondly, as I’ve come to understand, using https and letsencrypt adds some additional complexity.

I’m not a Linux, Network, or Certificate guru at all. But with google I usually make do. On these subjects however I can only seem to find pieces, with no idea of how to put them together.

For instance:
To create a reverse proxy server for Apache on Debian, which I am using:
_https://www.digitalocean.com/community/tutorials/how-to-use-apache-http-server-as-reverse-proxy-using-mod_proxy-extension
It’s not as comprehensive as I’d like though, with https and several domains explained.

Then, making this work with letsencrypt leads me to a whole lot of different threads I only understand half of (being optimistic):

_https://community.letsencrypt.org/t/proxied-virtual-hosts/7279
_https://community.letsencrypt.org/t/acquire-and-install-certs-on-reverse-proxy-server-configuration/3093
_https://community.letsencrypt.org/t/letsencrypt-behind-nginx-reverse-proxy/12716
_https://github.com/certbot/certbot/issues/2164
_https://www.shivering-isles.com/lets-encrypt-get-certifiactes-for-reverse-proxied-services/

Atleast Apache docs leads me to a fundamental understanding of what is happening with a reverse proxy:
_https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
But yet again, no https explanation.

Could someone take mercy on me and point me to the right resources?

EDIT: sorry for the links. I was not allowed to post more than 2


#2

Generally speaking, the instructions for Debian with Apache should work just as well if Apache is acting as a reverse proxy. Have you tried these commands, and did you run into any problems?

Would you mind sharing a few more details about your setup? For example, what kind of backend server is apache sitting in front of, is the backend server hosted on the same server, etc.


#3

I’m glad to hear it. Maybe it will be less complicated than I first thought. I just need to push through the “I don’t get this at all” barrier.

As for my setup:

I’m running XenServer. All virtual machines are located in this one, but in separate networks with pfsense as firewall. I’ve forwarded 443 and 80 to the reverseproxy-server.
All back-ends are running Apache, mainly Ubuntu(14LTS-something)/Debian(Jessie), with the one exception of FreeBSD

I get an informational/warning/error when I run certbot --apache.

As I said, I’m just trying to put together the pieces here. The guides I’m trying to follow only tell me what to do in their given user-case. They don’t explain what I’m doing, making it harder to understand.

When running certbot --apache I get the following:

"No names were found in your configuration files.
You should specify ServerNames in your config files ..."

I’ve created a reverse.conf in sites-available and enabled it with a2ensite. Its content:

#<VirtualHost *:80>
#
#</VirtualHost>

<Virtualhost *:443>

SSLEngine On
Servername fifafrukost.se

    ProxyPreserveHost On

    # Servers to proxy the connection, or;
    # List of application servers:
    # Usage:
    # ProxyPass / http://[IP Addr.]:[port]/
    # ProxyPassReverse / http://[IP Addr.]:[port]/
    # Example:
    ProxyPass / https://192.168.40.105/
    ProxyPassReverse / https://192.168.40.105/

</Virtualhost>

I do however get an error when running apache2 /reload in error.log:

[Thu Jun 23 11:42:20.203716 2016] [ssl:emerg] [pid 4212:tid 140481191675776] AH02572: Failed to configure at least one certificate and key for fifafrukost.se:443
[Thu Jun 23 11:42:20.203749 2016] [ssl:emerg] [pid 4212:tid 140481191675776] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Thu Jun 23 11:42:20.203752 2016] [ssl:emerg] [pid 4212:tid 140481191675776] AH02312: Fatal error initialising mod_ssl, exiting.

I’m missing some understanding here. I thought certbot was going to create the certificate for me. And do stuffs to Apache to make it work.
Also, I’m still unclear about whether the reverse proxy is supposed to hold all certificates for all sites, locally on its own, or if I’m supposed to install the certificates seperately on each machine respectively.


#4

That makes things a bit easier. Since you’re not talking to your backend servers over some untrusted network, you can terminate SSL/TLS on the reverse proxy level, and talk HTTP to your backend servers. Meaning: No need to get/push certificates to your backend servers, or to configure SSL/TLS on those servers. This means you should probably change your ProxyPass(Reverse) directives to use http://.

The easiest way to get the apache plugin working is to have a HTTP-only configuration (i.e. VirtualHosts on port 80). The idea is that you already have a working web server that’s configured properly for HTTP, and then you run certbot to make everything work with HTTPS too. In your case, that means you should probably change all your vhosts to be HTTP-only, remove any SSL directives, make sure everything is working as expected, and only then run certbot.

PS: I’m not certain if certbot is case sensitive, but I’d change Servername to ServerName to avoid finding that out. :smile:


#5

Thank you so much for your replies!

I’ve edit my vhost-file to only use *80 and http. Disabled the Apache SSL mod.
I have an additional vhost entry on another internal IP, so the reverse proxying seems to be fine, both sites (and all 3 in total) are reachable.

<Virtualhost *:80>

#SSLEngine On
ServerName fifafrukost.se

    ProxyPreserveHost On

    # Servers to proxy the connection, or;
    # List of application servers:
    # Usage:
    # ProxyPass / http://[IP Addr.]:[port]/
    # ProxyPassReverse / http://[IP Addr.]:[port]/
    # Example:
    ProxyPass / http://192.168.40.105/
    ProxyPassReverse / http://192.168.40.105/

</Virtualhost>

<Virtualhost *:80>

#SSLEngine On
ServerName test.fifafrukost.se

    ProxyPreserveHost On

    ProxyPass / http://192.168.40.105/
    ProxyPassReverse / http://192.168.40.105/

</Virtualhost>

However I still get the message about not finding any ServerNames. /var/log/letsencrypt/letsencrypt.log tells me:

2016-06-23 12:02:09,525:DEBUG:certbot.main:Root logging level set at 30
2016-06-23 12:02:09,525:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-06-23 12:02:09,526:DEBUG:certbot.main:certbot version: 0.8.0
2016-06-23 12:02:09,526:DEBUG:certbot.main:Arguments: ['--apache']
2016-06-23 12:02:09,526:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-06-23 12:02:09,528:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2016-06-23 12:02:09,773:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.configurator:ApacheConfigurator
Initialized: <certbot_apache.configurator.ApacheConfigurator object at 0x7f52eaa64510>
Prep: True
2016-06-23 12:02:09,774:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.configurator.ApacheConfigurator object at 0x7f52eaa64510> and installer <certbot_apache.configurator.ApacheConfigurator object at 0x7f52eaa64510>
2016-06-23 12:02:11,434:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.8.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 735, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 497, in run
    domains = _find_domains(config, installer)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 264, in _find_domains
    raise errors.Error("Please specify --domains, or --installer that "
Error: Please specify --domains, or --installer that will help in domain names autodiscovery
Server version: Apache/2.4.10 (Debian)
Server built:   Nov 28 2015 14:05:48
Server's Module Magic Number: 20120211:37
Server loaded:  APR 1.5.1, APR-UTIL 1.5.4
Compiled using: APR 1.5.1, APR-UTIL 1.5.4
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)

#6

Speaking of certbot possibly being case-sensitive, try making it VirtualHost instead of Virtualhost.

Another common gotcha is that certbot doesn’t like seeing multiple <VirtualHost> tags in the same file, so if that’s the case for your config, try splitting them into separate files. (I think certbot would show a warning if that were the case, though.)


#7

You were correct. Multiple VirtualHost entries caused it to not recognize any of them. Split them to separate vhost files. Certbot even recognized my server aliases!

THANK YOU!

I am profoundly grateful to your help. I’ve been banging my head against this for quite some time. Getting more and more confused for every new article I stumbled upon. What a relief!


#8

To use SSL to talk to your backends, you need to have a statement like:

    SSLProxyEngine on
    SSLProxyProtocol -All +TLSv1.2 +TLSv1.1 +TLSv1

in your Apache config.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.