Hey Let's Encrypt Community
I'm new here and got an issue with requesting a certificate with Certbot 1.32.2.
In my setup I 'v got an Apache reverse Proxy servername: "lehner-rp01". My webserver running an nginx in a docker container servername: "lehner-bw01". further my CA server "lehner-ca01" for intenal communcation over https with certificate e.g. lehner-rp01 <--> lehner-bw01. The webservice should be public under the following name app01.mueleh.ch. All these servers are running with Ubuntu server 22.04 LTS.
I created a virtualhost on my apache server like this
<VirtualHost *:80 *:443>
ServerName app01.mueleh.ch
DocumentRoot /var/www/html
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPreserveHost on
ProxyRequests Off
ProxyErrorOverride Off
ProxyPassReverse / http://lehner-bw01.mueleh.ch/
ProxyPass "/.well-known" "!"
ProxyPass / http://10.0.4.62/
<Directory "/var/www/html/.well-known">
Require all granted
Options None
</Directory>
<Proxy *>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Proxy>
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log example
</VirtualHost>
In the configuration file for the nginx docker container is the following configured:
# Full URL for accessing the installation from a browser. (Required)
url: https://lehner-bw01.mueleh.ch
#
# Auto-generate the `./docker/docker-compose.yml` config file.
# WARNING: Disabling generated config files can break future updates. You will be
# responsible for maintaining this config file.
generate_compose_config: true
#
# Auto-generate the `./nginx/default.conf` file.
# WARNING: Disabling generated config files can break future updates. You will be
# responsible for maintaining this config file.
# Docker compose file port mapping for HTTP. Leave empty to remove the port mapping.
# Learn more: https://docs.docker.com/compose/compose-file/#ports
http_port: 80
#
# Docker compose file port mapping for HTTPS. Leave empty to remove the port mapping.
# Learn more: https://docs.docker.com/compose/compose-file/#ports
https_port: 443
#
# Docker compose file version. Leave empty for default.
# Learn more: https://docs.docker.com/compose/compose-file/compose-versioning/
compose_version:
#
# Configure Nginx for Captcha.
captcha: false
#
# Configure Nginx for SSL.
ssl: false
#
# SSL versions used by Nginx (ssl_protocols). Leave empty for recommended default.
# Learn more: https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_versions:
#
# SSL ciphersuites used by Nginx (ssl_ciphers). Leave empty for recommended default.
# Learn more: https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_ciphersuites:
# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
# `/etc/ssl` within the container.
ssl_certificate_path: /etc/ssl/lehner-bw01.mueleh.ch/certificate.crt
#
# The certificate's private key. (Required if using SSL without managed Let's Encrypt)
# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
# `/etc/ssl` within the container.
ssl_key_path: /etc/ssl/lehner-bw01.mueleh.ch/private.key
#
# If the certificate is trusted by a CA, you should provide the CA's certificate.
# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
# `/etc/ssl` within the container.
ssl_ca_path: /etc/ssl/lehner-bw01.mueleh.ch/ca.crt
#
# Diffie Hellman ephemeral parameters
# Learn more: https://security.stackexchange.com/q/94390/79072
# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
# `/etc/ssl` within the container.
ssl_diffie_hellman_path:
#
# Nginx Header Content-Security-Policy parameter
# WARNING: Reconfiguring this parameter may break features. By changing this parameter
# you become responsible for maintaining this value.
nginx_header_content_security_policy: "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; connect-src 'self' wss://{0} https://api.pwnedpasswords.com https://api.2fa.directory; object-src 'self' blob:;"
# Use a docker volume (`mssql_data`) instead of a host-mapped volume for the persisted database.
# WARNING: Changing this value will cause you to lose access to the existing persisted database.
# Learn more: https://docs.docker.com/storage/volumes/
database_docker_volume: false
#
# Defines "real" IPs in nginx.conf. Useful for defining proxy servers that forward the
# client IP address.
# Learn more: https://nginx.org/en/docs/http/ngx_http_realip_module.html
#
# Defined as a dictionary, e.g.:
# real_ips: ['10.10.0.0/24', '172.16.0.0/16']
real_ips:
# Enable SCIM
enable_scim: false
I tested internal communication and everything works fine. with the reverse proxy.
After this i run sudo certbot --apache
And this is the Output:
admin.mischa@mueleh.ch@lehner-rp01:~$ sudo certbot --apache
[sudo] password for admin.mischa@mueleh.ch:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: app01.mueleh.ch
2: ipam.mueleh.ch
3: search.mueleh.ch
4: wac.mueleh.ch
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for app01.mueleh.ch
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: app01.mueleh.ch
Type: unauthorized
Detail: 91.138.73.114: Invalid response from http://app01.mueleh.ch/.well-known/acme-challenge/jDGQXxAK-BsdTvmNaAMYIrITS-ZRDt8lmiuMVqmZcz0: 400
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
admin.mischa@mueleh.ch@lehner-rp01:~$
Thank you for your Help!
Kind regards,
Dextoi