I have successfully issued Lets Encrypt on a bunch of local domains, but I’m curious as to whether Let’s Encrypt will work for a domain hosted on a different server through Reverse Proxy (mod_proxy).
Let’s say I have the vHost example.com on Server 1. Server 2 is running a vHost the web root of example and Server 1 using Apache’s mod_proxy to proxy into Server 2. If I were to use Let’s Encrypt for example.com, should I get a certificate for Server 1, Server 2, or both? If it matters, both servers are in the local network, so I don’t think I need to encrypt the proxy connection between them.
Server 1 is the “end point” of the connection for the client, so you’ll have to install the certificate on that server. That said, you will have to have access to the webroot (i.e. Server 2) to successfully the challenge for your domain. Or have some RedirectMatch on /.well-known/acme-challenge/(.+) and redirect it to something local on Server 1, that’s possible too ofcourse.
the last suggestion is exactly how I solved this with a hiawatha reverse proxy.
cat configfile | egrep -v “TLS” > tempconfigfile
start up server with tempconfigfile
use local website dirs to get certificates
reinstall reverse proxy config
startup server again.
WEBROOT="/var/www/hcs/“
TIMESTAMP=date --rfc-3339 seconds | sed 's/ /-/'
echo “Time is $TIMESTAMP"
LECROOT=”/etc/letsencrypt/live"
CONFIG=”/etc/hiawatha/hiawatha.conf" #we will get certificates for the following domains in hiawatha.conf
DOMAINS=“rain.example.com”
lets take all TLS and reverse proxy config out while updating, serving only one local website
cat /root/tmp/hiawatha.confbackup | egrep -v “ReverseProxy|RequireTLS|TLScertFile” > $CONFIG
/etc/init.d/hiawatha restart
echo “website is offline, will get the certs now” & sleep 3
for i in echo $DOMAINS ; do
echo "getting certs for $i"
cd /root/letsencrypt
./letsencrypt-auto certonly -a webroot --webroot-path $WEBROOT -d $i --server https://acme-v01.api.letsencrypt.org/directory
sleep 33 # can take a while #if all is well we have a new certificate, but we need to adjust it to hiawatha pem format
echo "certs $i are in lets make a pem"
cat $LECROOT/$i/privkey.pem $LECROOT/$i/cert.pem $LECROOT/$i/chain.pem > $LECROOT/$i/hiawatha-hc.pem
chown www-data:www-data $LECROOT/$i/hiawatha-hc.pem
chmod 440 $LECROOT/$i/hiawatha-hc.pem
echo "pemfile is $LECROOT/$i/hiawatha-hc.pem"
sleep 3
done
#copy back the original configfile
cp /root/tmp/hiawatha.confbackup $CONFIG
sleep 1
/etc/init.d/hiawatha restart