LE Standalone and Pound Proxy


#1

The problem:

  1. Running several platforms behind single public IP.
  2. My ISP is blocking port 80 so i have only one port left 443

The setup:
Pound proxy - or others - is employed to listen and then to distribute based on SubdomainX.DomainY.com

The approach:
Implementation explained in below link does not work out due to whatsoever specified port in –http-01-port 8000 LE will keep trying to verify through port 80 only which is blocked.

https://secwise.nl/lets-encrypt-certifcates-and-pound-load-balancer/

I have modified the offered solution to proceed with –tls-sni-01-port 443 on different machine with the following Pound directives on the main internet-facing machine,

ListenHTTPS
Address 221.212.7.253
Port 443
AddHeader "“X-Forwarded-Proto: https”"
HeadRemove "“X-Forwarded-Proto”"
HeadRemove "“X-Forwarded-For”"
Cert "/etc/pound/OpenSSL_Self-signed.PEM"
SSLAllowClientRenegotiation 0
SSLHonorCipherOrder 1
xHTTP 4

Service
  URL                          "^/.well-known/acme-challenge/.*"
  BackEnd
  	Address                                       221.212.7.15
  	HTTPS
  	Port                                                   443
  End

End

Does not work cause ListenHTTPS needs a certificate -which is not obtained yet - and hence self-signed one getting rejected by LE as getting wrong information on domain owner.

Please advice,
In case of no way both LE and Pound to be on single machine, no worries, separate machine will be dedicated for LE certifications and renewals, but the matter is how to establish directing LE verification to its machine as the proxy server is the facing machine.


#2

I think you’ve misunderstood tls-sni-01. This challenge mode involves custom code to recognise the non-standard SNI request. When that happens a custom X.509 certificate needs to be presented, and this forms the proof of control needed.

If you’re intending to implement tls-sni-01 you should read the ACME documentation linked from Let’s Encrypt’s pages.

Other alternatives in your case might include DNS proofs, or Certbot’s standalone mode (which will require stopping your real services while the challenge is done)


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.