Letsencrypt noob.. Apache reverse proxy + SSL on backend


#1

Hello everyone, I’ve been reading for about 4 hours now and can’t seem to find what I’m looking for. I have solved a few issues but I have one hanging one… Or I have seen the answer, I’m just not understanding it.

my network… single public IP with several servers behind it on different VLANS. I need to have access to servers from both LAN and WAN… Previously I only had a couple servers and was using paid SSL certificates. Installation was easy… Now I have more services and need SSL everywhere… here is where i’m getting stumped…

I have two dns views with bind, one for internal, one external. Internally when I request a site i’m given the 10.x.x.x Ip address, when accessing the same services outside the LAN DNS returns me to the WAN IP.

Now i’m trying to use Lets Encrypt and save hundreds a year in SSL… This is where my confusion begins…

I previously used (and still using) Apache Reverse Proxy… Almost all servers are Ubuntu 16, and soon to be 18 LTS. As I understand it, certbot will create a verification file on the requesting machine in order to create the certificate. I have no problem creating all the certificates for the Virtual Hosts on the Reverse Proxy server (before configuring the Proxy for the subdomains…), thats the easy part… Where it’s confusing me is once I configure the proxy and send all traffic to the internal machines certbot won’t be able to automatically renew the cert on the proxy, since the internal servers will receive the request, however the internal servers will have no problem renewing… Is that correct??

a quick rough diagram

|internet|-----|cisco router|----[reverse proxy]----[L3 switching]---|---vlan10----[ssl server 1:443 - a.domain.com]
                                                         |           |---vlan20----[ssl server 2:443 - b.domain.com]
                                                         |           |---vlan30----[ssl server 3:443 - c.domain.com]
                                                         |
                                                         |
                                                         |
                                               [internal LAN]

In a nutshell, Is it possible to have auto updated SSL on both the proxy and the internal servers?
The more I read the more I learn, but the more confused I am with all the options.

Thanks, and I’m sorry if this has been answered already I likely am just not understanding the solution.

example vhost configs on the proxy, DNS is answered by tine internal view, so the local IP is returned for the domain name. Each vhost is a separate file.

<VirtualHost *:443>
SSLCertificateFile /etc/letsencrypt/live/a.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/a.domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
#LogLevel emerg
ServerName a.domain.com
ServerAdmin admin@domain.com
DocumentRoot /var/www/vhosts/a.domain.com/htdocs/
ErrorLog /var/www/vhosts/a.domain.com/logs/ssl-error.log
CustomLog /var/www/vhosts/a.domain.com/logs/ssl-access.log "combined"
  SSLProxyEngine on
  ProxyPreserveHost On
  # Servers to proxy the connection, or
  # List of application servers Usage
  ProxyPass / https://a.domain.com/
  ProxyPassReverse / https://a.domain.com/
</VirtualHost>


<VirtualHost *:443>
SSLCertificateFile /etc/letsencrypt/live/b.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/b.domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
#LogLevel emerg
ServerName b.domain.com
ServerAdmin admin@domain.com
DocumentRoot /var/www/vhosts/b.domain.com/htdocs/
ErrorLog /var/www/vhosts/b.domain.com/logs/ssl-error.log
CustomLog /var/www/vhosts/b.domain.com/logs/ssl-access.log "combined"
  SSLProxyEngine on
  ProxyPreserveHost On
  # Servers to proxy the connection, or
  # List of application servers Usage
  ProxyPass / https://b.domain.com/
  ProxyPassReverse / https://b.domain.com/
</VirtualHost>

#2

Provided you’re using Certbot’s --apache plugin: it creates a temporary alias in the relevant Apache VirtualHost to point to the file required to respond to the challenge. So it should work on the proxy even while it’s proxying all other requests to the backends.

The proxy will forward other requests - including requests from the validation server - to the backends as you described, so they should be able to correctly respond to challenges too.

You might want to add the option --preferred-challenges http to ensure that it doesn’t try to use the deprecated tls-sni-01 challenge for renewals, as that wouldn’t work with this proxy setup.

You’ll need port 80 open on the proxy. You can forward it to the backends as you’ve done with 443, or you can set up a 301 redirect to HTTPS directly on the proxy server; either should work.

You can test it with certbot renew --dry-run.

Watch out for the rate limits.


#3

Thank you, I will test this out and let you know how it works. Thank you!


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.