Proxied Virtual Hosts

I have successfully issued Lets Encrypt on a bunch of local domains, but I’m curious as to whether Let’s Encrypt will work for a domain hosted on a different server through Reverse Proxy (mod_proxy).

Let’s say I have the vHost example.com on Server 1. Server 2 is running a vHost the web root of example and Server 1 using Apache’s mod_proxy to proxy into Server 2. If I were to use Let’s Encrypt for example.com, should I get a certificate for Server 1, Server 2, or both? If it matters, both servers are in the local network, so I don’t think I need to encrypt the proxy connection between them.

Server 1 is the “end point” of the connection for the client, so you’ll have to install the certificate on that server. That said, you will have to have access to the webroot (i.e. Server 2) to successfully the challenge for your domain. Or have some RedirectMatch on /.well-known/acme-challenge/(.+) and redirect it to something local on Server 1, that’s possible too ofcourse.

Would it work if I just brought the actual site down for a few minutes by commenting out the Proxy lines in the config?

the last suggestion is exactly how I solved this with a hiawatha reverse proxy.

cat configfile | egrep -v “TLS” > tempconfigfile
start up server with tempconfigfile
use local website dirs to get certificates
reinstall reverse proxy config
startup server again.

voila

config looks like this

VirtualHost {
Hostname = rain.example.com
ReverseProxy .* http://192.168.0.50:80/rainloop
RequireTLS = yes
TLScertFile = /etc/letsencrypt/live/rain.example.com/hiawatha-hc.pem
WebsiteRoot /var/www/hcs
}

##################### update certificates
#!/bin/bash

WEBROOT="/var/www/hcs/“
TIMESTAMP=date --rfc-3339 seconds | sed 's/ /-/'
echo “Time is $TIMESTAMP"
LECROOT=”/etc/letsencrypt/live"
CONFIG=”/etc/hiawatha/hiawatha.conf"
#we will get certificates for the following domains in hiawatha.conf
DOMAINS=“rain.example.com

mkdir /root/tmp
cp $CONFIG /root/tmp/hiawatha.conf$TIMESTAMP
cp $CONFIG /root/tmp/hiawatha.confbackup

lets take all TLS and reverse proxy config out while updating, serving only one local website

cat /root/tmp/hiawatha.confbackup | egrep -v “ReverseProxy|RequireTLS|TLScertFile” > $CONFIG
/etc/init.d/hiawatha restart
echo “website is offline, will get the certs now” & sleep 3
for i in echo $DOMAINS ; do
echo "getting certs for $i"
cd /root/letsencrypt
./letsencrypt-auto certonly -a webroot --webroot-path $WEBROOT -d $i --server https://acme-v01.api.letsencrypt.org/directory
sleep 33 # can take a while
#if all is well we have a new certificate, but we need to adjust it to hiawatha pem format
echo "certs $i are in lets make a pem"
cat $LECROOT/$i/privkey.pem $LECROOT/$i/cert.pem $LECROOT/$i/chain.pem > $LECROOT/$i/hiawatha-hc.pem
chown www-data:www-data $LECROOT/$i/hiawatha-hc.pem
chmod 440 $LECROOT/$i/hiawatha-hc.pem
echo "pemfile is $LECROOT/$i/hiawatha-hc.pem"
sleep 3
done

#copy back the original configfile
cp /root/tmp/hiawatha.confbackup $CONFIG
sleep 1
/etc/init.d/hiawatha restart