Let's encrypt update behind reverse proxy

I have found a quite a few references to LE behind proxy, but I could not apply the comment to my case. Sorry, I am Reverse Proxy Challenged.

The question is a followup to a comment I wrote on the German Forum of ISPCONFIG

Apache 2 on Ubuntu. Let’s encrypt works perfectly and updates without problems on all non-proxied sites. However, I have some sites that need a reverse proxy to run Rstudio Shiny. Example Breath Test Shiny.

LE works, but automatic renewal fails. To force renewal, I have to remove the proxy first, and the re-insert it. Till on the ISPCONFIG forum suggested to add LE to the passed part, but I don’t understand which path to insert to let it pass.

<Proxy *>
Order deny,allow
Allow from all
ProxyRequests Off
ProxyPass /stats !
RedirectMatch permanent ^/apps/$ /apps/
ProxyPreserveHost Off

ProxyPassMatch ^/(.+)/websocket ws://localhost:3838/$1/websocket keepalive=On
ProxyPass / http://localhost:3838/
ProxyPassReverse / http://localhost:3838/

Hi @dmenne,

You can do it the same way as /stats just add one line for /.well-known/acme-challenge

ProxyPass /stats !
ProxyPass /.well-known/acme-challenge !

So requests to validate your domain will use the defined DocumentRoot in your VirtualHost conf instead of proxying it.

If you are not using a DocumentRoot for your VirtualHost you could even specify an Alias to point these requests to a concrete dir (in below example the dir is /var/www/html/letsencrypt/) .

Alias "/.well-known/acme-challenge/" "/var/www/html/letsencrypt/.well-known/acme-challenge/"

You could put this Alias before <Proxy *> but if you already have a working DocumentRoot no need for this Alias.

I hope this helps.


Thanks, @sahsanu. I had seen many messages of your’s and others that mention .well-known/acme-challenge !, and I never understood if that’s placeholder. That’s where I got lost.

So help me with something basic: what does .well-known stand for?

.well-known is a standard directory for this kind of purposes, if you want more info you could take a look to RFC5875 and acme-challenge is the dir inside .well-known used to place the challenges created by the client used to request a Let’s Encrypt certificate.

An example:
Domain: example.com
DocumentRoot: /var/www/example/
Challenge used: http-01

So, when you try to issue a new cert for domain example.com the client used will create a token in this path /var/www/example/.well-known/acme-challenge/token once done, Let’s Encrypt will try to reach this token using this url http://example.com/.well-known/acme-challenge/token if the token file and its content are valid, Let’s Encrypt has proved you control the domain and will issue a certificate for your domain.

I don’t know if it is clear… :wink:


1 Like

Thanks, it’s clear now that this is verbatim, and thanks for the link. I always thought that I had to replace .well-known by something I should know, similar to the “mydomain” term.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.