Need help with requesting Certificat for Apache reverse Proxy

Hey Let's Encrypt Community

I'm new here and got an issue with requesting a certificate with Certbot 1.32.2.
In my setup I 'v got an Apache reverse Proxy servername: "lehner-rp01". My webserver running an nginx in a docker container servername: "lehner-bw01". further my CA server "lehner-ca01" for intenal communcation over https with certificate e.g. lehner-rp01 <--> lehner-bw01. The webservice should be public under the following name app01.mueleh.ch. All these servers are running with Ubuntu server 22.04 LTS.

I created a virtualhost on my apache server like this

<VirtualHost *:80 *:443>
    ServerName app01.mueleh.ch
    DocumentRoot /var/www/html
    SSLProxyEngine On
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    ProxyPreserveHost on
    ProxyRequests Off
    ProxyErrorOverride Off
    ProxyPassReverse / http://lehner-bw01.mueleh.ch/
    ProxyPass "/.well-known" "!"
    ProxyPass / http://10.0.4.62/
    <Directory "/var/www/html/.well-known">
        Require all granted
        Options None
    </Directory>
    <Proxy *>
        Options FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
    </Proxy>
    ErrorLog /var/log/apache2/error.log
    CustomLog /var/log/apache2/access.log example
</VirtualHost>

In the configuration file for the nginx docker container is the following configured:

# Full URL for accessing the installation from a browser. (Required)
url: https://lehner-bw01.mueleh.ch
# 
# Auto-generate the `./docker/docker-compose.yml` config file.
# WARNING: Disabling generated config files can break future updates. You will be
# responsible for maintaining this config file.
generate_compose_config: true
# 
# Auto-generate the `./nginx/default.conf` file.
# WARNING: Disabling generated config files can break future updates. You will be
# responsible for maintaining this config file.
# Docker compose file port mapping for HTTP. Leave empty to remove the port mapping.
# Learn more: https://docs.docker.com/compose/compose-file/#ports
http_port: 80
# 
# Docker compose file port mapping for HTTPS. Leave empty to remove the port mapping.
# Learn more: https://docs.docker.com/compose/compose-file/#ports
https_port: 443
# 
# Docker compose file version. Leave empty for default.
# Learn more: https://docs.docker.com/compose/compose-file/compose-versioning/
compose_version: 
# 
# Configure Nginx for Captcha.
captcha: false
# 
# Configure Nginx for SSL.
ssl: false
# 
# SSL versions used by Nginx (ssl_protocols). Leave empty for recommended default.
# Learn more: https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_versions: 
# 
# SSL ciphersuites used by Nginx (ssl_ciphers). Leave empty for recommended default.
# Learn more: https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_ciphersuites: 
# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
# `/etc/ssl` within the container.
ssl_certificate_path: /etc/ssl/lehner-bw01.mueleh.ch/certificate.crt
# 
# The certificate's private key. (Required if using SSL without managed Let's Encrypt)
# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
# `/etc/ssl` within the container.
ssl_key_path: /etc/ssl/lehner-bw01.mueleh.ch/private.key
# 
# If the certificate is trusted by a CA, you should provide the CA's certificate.
# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
# `/etc/ssl` within the container.
ssl_ca_path: /etc/ssl/lehner-bw01.mueleh.ch/ca.crt
# 
# Diffie Hellman ephemeral parameters
# Learn more: https://security.stackexchange.com/q/94390/79072
# Note: Path uses the container's ssl directory. The `./ssl` host directory is mapped to
# `/etc/ssl` within the container.
ssl_diffie_hellman_path: 
# 
# Nginx Header Content-Security-Policy parameter
# WARNING: Reconfiguring this parameter may break features. By changing this parameter
# you become responsible for maintaining this value.
nginx_header_content_security_policy: "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; connect-src 'self' wss://{0} https://api.pwnedpasswords.com https://api.2fa.directory; object-src 'self' blob:;"
# Use a docker volume (`mssql_data`) instead of a host-mapped volume for the persisted database.
# WARNING: Changing this value will cause you to lose access to the existing persisted database.
# Learn more: https://docs.docker.com/storage/volumes/
database_docker_volume: false
# 
# Defines "real" IPs in nginx.conf. Useful for defining proxy servers that forward the 
# client IP address.
# Learn more: https://nginx.org/en/docs/http/ngx_http_realip_module.html
# 
# Defined as a dictionary, e.g.:
# real_ips: ['10.10.0.0/24', '172.16.0.0/16']
real_ips: 
# Enable SCIM
enable_scim: false

I tested internal communication and everything works fine. with the reverse proxy.

After this i run sudo certbot --apache

And this is the Output:

admin.mischa@mueleh.ch@lehner-rp01:~$ sudo certbot --apache
[sudo] password for admin.mischa@mueleh.ch: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: app01.mueleh.ch
2: ipam.mueleh.ch
3: search.mueleh.ch
4: wac.mueleh.ch
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for app01.mueleh.ch

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: app01.mueleh.ch
  Type:   unauthorized
  Detail: 91.138.73.114: Invalid response from http://app01.mueleh.ch/.well-known/acme-challenge/jDGQXxAK-BsdTvmNaAMYIrITS-ZRDt8lmiuMVqmZcz0: 400

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
admin.mischa@mueleh.ch@lehner-rp01:~$ 

Thank you for your Help!

Kind regards,
Dextoi

I don't think that Apache can multiplex protocols in a single VirtualHost like that.

At least, that's what the 400 error seems to be about:

$ curl -i app01.mueleh.ch
HTTP/1.1 400 Bad Request
Date: Wed, 18 Jan 2023 21:29:28 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 441
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
Instead use the HTTPS scheme to access this URL, please.<br />

Try separating it into separate port 80 and port 443 virtual hosts.

Supplemental information

$ nmap app01.mueleh.ch
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-19 00:19 UTC
Nmap scan report for app01.mueleh.ch (91.138.73.114)
Host is up (0.18s latency).
rDNS record for 91.138.73.114: 114-73-138-91.dyn.cable.fcom.ch
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 13.12 seconds

$ curl -Ii http://app01.mueleh.ch/
HTTP/1.1 400 Bad Request
Date: Thu, 19 Jan 2023 00:19:43 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 441
Connection: close
Content-Type: text/html; charset=iso-8859-1

$ curl -Ii http://app01.mueleh.ch//.well-known/acme-challenge/sometestfile
HTTP/1.1 400 Bad Request
Date: Thu, 19 Jan 2023 00:20:02 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 441
Connection: close
Content-Type: text/html; charset=iso-8859-1

$ curl -Ii http://app01.mueleh.ch//.well-known/acme-challenge/sometestfile -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
HTTP/1.1 400 Bad Request
Date: Thu, 19 Jan 2023 00:20:11 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 441
Connection: close
Content-Type: text/html; charset=iso-8859-1

However Let's Debug gets these results https://letsdebug.net/app01.mueleh.ch/1341796
Error HttpOnHttpsPort

Hello _az

thanks for your reply.

Unfortunately, it's still the same error.

I also tested if I only opened port 80 (on reverse Proxy Virtualhost and the ngnix docker) but this also did not work.

Does anyone have an other idea?

What's the current configuration of the virtual host? I still see the same problem on that port.

You'd need to get rid of all of the SSL* directives, like SSLProxyEngine.

Hey together

I found my mistake and now it works great.

So first, I think I forgot some essential information. In my reverse proxy, multiple virtualhosts are listening on 443. When I deactivated them and only enabled the virtualhost for app01 on port 80, in addition, I deactivated all SSL* parameters and then, the certbot could create the certificate.

I would like to thank you again for your help.

Kind regards,
Dextoi

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.