How to get LetsEncrypt on apache reverseproxy and the webhost behind it?


I have the following construction

Firewall --> Reverse proxy --> Webhost 1

I currently used self signed certificates which I placed on both the Reverse Proxy and Webhost 1 servers.
At the Reverse proxy, every incomming requested is rewritten to using the following apache config in /etc/apache2/sites-enabled/000-default:
<VirtualHost :80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.
)$1 [R,L]

At the moment my self signed cert has run out of time so my http request is already getting denied at the reverse proxy server.

Now I tryed to setup lets encrypt, but I can’t find clear instructions on how to do this with a reverse proxy setup. I have found some guides like: here, but I can’t decrypt this post in something I can understand.

Now my questions:
1. How should the setup look like?
I think the proper way would be to have letsencrypt running on the reverse proxy only, and have some script copy the cert files also to the webhost behinde it. But I’m unsure about this
2. How to start in my current situation?
I have no idea where to start since my certificate is already expired so i can’t show any verification code on my sites.
To make things worse, I’m actually behind 2 reverse proxy’s. I’m going to look into the option to present my verification code to Let’s Encrypt through my DNS domain hosting provider.


Hi @AcE_Krystal, one option would be to modify the RewriteRule so that requests to get passed through in HTTP without the rewrite. (This really shouldn’t harm the overall security of the site!) Then the domain control challenge can pass using HTTP, with no HTTPS at all.

Changing the DNS records is another option, as you mention.

I believe the reverse proxy shouldn’t need the certificate or private key as long as it isn’t terminating TLS and is simply forwarding HTTPS requests all the way through to the server at the TCP layer. If it acts as TLS endpoint and negotiates encryption with the incoming client – if the private key and certificate you were using before are on the reverse proxy – you’ll need to copy the certificate and private key onto it (or perhaps generate them on the reverse proxy machine in the first place).


@AcE_Krystal, we can give you better help if you give us the real name of your site so we can check the current certificate on it.

If the problem is really between your firewall and reverse proxy, and you’ve been successfully using a self-signed certificate there, there is no need for Let’s Encrypt. You can generate and install a new self-signed certificate with an updated expiration.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.