I have found a quite a few references to LE behind proxy, but I could not apply the comment to my case. Sorry, I am Reverse Proxy Challenged.
The question is a followup to a comment I wrote on the German Forum of ISPCONFIG
Apache 2 on Ubuntu. Let’s encrypt works perfectly and updates without problems on all non-proxied sites. However, I have some sites that need a reverse proxy to run Rstudio Shiny. Example Breath Test Shiny.
LE works, but automatic renewal fails. To force renewal, I have to remove the proxy first, and the re-insert it. Till on the ISPCONFIG forum suggested to add LE to the passed part, but I don’t understand which path to insert to let it pass.
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyRequests Off
ProxyPass /stats !
RedirectMatch permanent ^/apps/$ /apps/
ProxyPreserveHost Off
ProxyPassMatch ^/(.+)/websocket ws://localhost:3838/$1/websocket keepalive=On
ProxyPass / http://localhost:3838/
ProxyPassReverse / http://localhost:3838/
So requests to validate your domain will use the defined DocumentRoot in your VirtualHost conf instead of proxying it.
If you are not using a DocumentRoot for your VirtualHost you could even specify an Alias to point these requests to a concrete dir (in below example the dir is /var/www/html/letsencrypt/) .
Alias "/.well-known/acme-challenge/" "/var/www/html/letsencrypt/.well-known/acme-challenge/"
You could put this Alias before <Proxy *> but if you already have a working DocumentRoot no need for this Alias.
Thanks, @sahsanu. I had seen many messages of your’s and others that mention .well-known/acme-challenge !, and I never understood if that’s placeholder. That’s where I got lost.
So help me with something basic: what does .well-known stand for?
.well-known is a standard directory for this kind of purposes, if you want more info you could take a look to RFC5875 and acme-challenge is the dir inside .well-known used to place the challenges created by the client used to request a Let's Encrypt certificate.
An example:
Domain: example.com
DocumentRoot: /var/www/example/
Challenge used: http-01
So, when you try to issue a new cert for domain example.com the client used will create a token in this path /var/www/example/.well-known/acme-challenge/token once done, Let's Encrypt will try to reach this token using this url http://example.com/.well-known/acme-challenge/token if the token file and its content are valid, Let's Encrypt has proved you control the domain and will issue a certificate for your domain.
Thanks, it’s clear now that this is verbatim, and thanks for the link. I always thought that I had to replace .well-known by something I should know, similar to the “mydomain” term.
