The problem:
- Running several platforms behind single public IP.
- My ISP is blocking port 80 so i have only one port left 443
The setup:
Pound proxy - or others - is employed to listen and then to distribute based on SubdomainX.DomainY.com
The approach:
Implementation explained in below link does not work out due to whatsoever specified port in --http-01-port 8000 LE will keep trying to verify through port 80 only which is blocked.
https://secwise.nl/lets-encrypt-certifcates-and-pound-load-balancer/
I have modified the offered solution to proceed with --tls-sni-01-port 443 on different machine with the following Pound directives on the main internet-facing machine,
ListenHTTPS
Address 221.212.7.253
Port 443
AddHeader ""X-Forwarded-Proto: https""
HeadRemove ""X-Forwarded-Proto""
HeadRemove ""X-Forwarded-For""
Cert "/etc/pound/OpenSSL_Self-signed.PEM"
SSLAllowClientRenegotiation 0
SSLHonorCipherOrder 1
xHTTP 4Service
URL "^/.well-known/acme-challenge/.*" BackEnd Address 221.212.7.15 HTTPS Port 443 End
End
Does not work cause ListenHTTPS needs a certificate -which is not obtained yet - and hence self-signed one getting rejected by LE as getting wrong information on domain owner.
Please advice,
In case of no way both LE and Pound to be on single machine, no worries, separate machine will be dedicated for LE certifications and renewals, but the matter is how to establish directing LE verification to its machine as the proxy server is the facing machine.