Problem with a subdomain

It' my router web interface.
I'm searching to modify the rules correctly

I mean can you ssh to the router and run something like:
nginx -T | grep 4433

I understand, but I think the problem don't come from nginx but from redirect rules in the router. So I'm searching in pfsense/HAproxy documentation.

1 Like

HTTP is closed now.
HTTPS connects to "OLD SERVER" (with wrong cert name)

Yes, because I use these parameters for working.
The oldserver is as said my old server, but until I finished my configuration, I use it.
The change in my configuration is I have one server and I use NAT. This work for the moment correctly.
But for lot of reason I will use VMs in a new server. So I couldn't use NAT. I will use subdomain.
And for the moment I have problems to configure them.
And as I have to work sometime, I have to disable my subdomains rules and reuse NAT rules to my oldserver.

1 Like

OK I think I understand what you are trying to do.
pfSense can only NAT one external IP to one internal IP.
That is where HAProxy comes in; pfSense sends all HTTP(S) traffic to HAProxy and it can reverse proxy the different URLs to their corresponding VM servers.

It sounds very straight forward.
Where are you having problems?

Are you running the HAProxy on the same system/IP as the pfSense?

Yes, you understand well.
For the moment, I can redirect subdomain with port 80 correctly to the right server.
The problem is with the port 443 which is intercepted by the WEBGUI of pf sense.
I changed the interface port to 4433, but now pfsense redirect queries from 443 to port 443 to himself.
I'm searching why.

If you don't mind me interrupting your work...
[and I don't know all the details nor limitations of your network - so bare with me]

I would suggest that you virtualize everything (including pfSense).
[this provides a clear separation between all devices and their services]
Give everything it's own internal IP (pfSense also gets the external IP on second interface).
Don't have pfSense listening on the outside IP for management (unless you have to).
If pfSense will be doing inbound SSL inspection, then you must terminate all such connections there (first) before passing them on to the HAProxy.

I understand, but as I have few time to work on it, I asked the question in a pfsense forum.
It seems to be simple to do that, so if I can find a faster solution :slight_smile:
Thanks for suggestion

1 Like

I think I'm right with pfsense.

but I always have the problem.
apachectl -S gives me
root@dolizelec:~# apachectl -S
VirtualHost configuration: (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/"
User: name="www-data" id=33
Group: name="www-data" id=33

and certbot error:

thanks for your help

Port 80 has the expected result http status 404 - Not Found. So the main things are ok.

What's the content of

Create a file in yourWebroot/.well-known/acme-challenge (file name 1234), load that file via

if that works, use webroot with that webroot.

PS: Certbot loves separate config files instead of 000-default.conf. Create a file with domainname + .conf as file name, there the port 80 vHost definition.

1 Like

content of /etc/apache2/sites-enabled/000-default.conf:

# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,                                                                                 
    # error, crit, alert, emerg.                                                                                                                           
    # It is also possible to configure the loglevel for particular                                                                                         
    # modules, e.g.                                                                                                                                        
    #LogLevel info ssl:warn                                                                                                                                

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

I create file /var/www/html/.well-known/acme-challenge/1234 as you asks, that works
but as my webroot is /var/www/html, what do you want I change.
As certbot loves separate config files, I create, a2ensite doli... and reload apache

Yes, it works, so you have found your webroot. Use that with webroot instead of --apache.

1 Like

I've always the same problem:
root@dolizelec:/etc# certbot -w /var/www/html/
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for
Performing the following challenges:
http-01 challenge for
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Some challenges have failed.


It's strange, 1234 file reply but not the challenge

Please read the documentation, your result is expected.

See the problem there?

certbot certonly --webroot -w /var/www/html/

1 Like

Sorry, it's late but you're right, and that works correctly now.
I forgot certonly
Thanks for all your help

1 Like

No... you forgot --webroot. :wink:

1 Like

I used -w for webroot

certonly isn't relevant. webroot is relevant. Your output told you: Apache was used.

And certonly doesn't install the certificate.