I have found a quite a few references to LE behind proxy, but I could not apply the comment to my case. Sorry, I am Reverse Proxy Challenged.
The question is a followup to a comment I wrote on the German Forum of ISPCONFIG
Apache 2 on Ubuntu. Let’s encrypt works perfectly and updates without problems on all non-proxied sites. However, I have some sites that need a reverse proxy to run Rstudio Shiny. Example Breath Test Shiny.
LE works, but automatic renewal fails. To force renewal, I have to remove the proxy first, and the re-insert it. Till on the ISPCONFIG forum suggested to add LE to the passed part, but I don’t understand which path to insert to let it pass.
Allow from all
ProxyPass /stats !
RedirectMatch permanent ^/apps/$ /apps/
ProxyPassMatch ^/(.+)/websocket ws://localhost:3838/$1/websocket keepalive=On
ProxyPass / http://localhost:3838/
ProxyPassReverse / http://localhost:3838/
.well-known is a standard directory for this kind of purposes, if you want more info you could take a look to RFC5875 and acme-challenge is the dir inside .well-known used to place the challenges created by the client used to request a Let’s Encrypt certificate.
Challenge used: http-01
So, when you try to issue a new cert for domain example.com the client used will create a token in this path /var/www/example/.well-known/acme-challenge/token once done, Let’s Encrypt will try to reach this token using this url http://example.com/.well-known/acme-challenge/token if the token file and its content are valid, Let’s Encrypt has proved you control the domain and will issue a certificate for your domain.