Reverse proxy, back-end & certficates

Hi everyone,

Firstly, I’m sorry if I am not clear, English is not my native language and furthermore, Web services are not my primary target.

Anyway, I need some explanation about Reverse Proxy and certification.

I have a HomeLab where run or will run webservers. As I only have 1 Public Adress, I use specific port.

I have a Virtual Machine were I use Certbox with OVH plugin (dns certification) to create a wildcard certificate. A Bash script is then use to copy the certificate to the others virtual machines with SSH.

I’m thinking about using a NGINX as a reverse proxy to redirect traffic from exterior to my Apache servers to byPass the use of specific port.

As I already said, I don’t have particular knowledge with reverse proxy. My questions are:

  • Can I Install certbot on the reverse proxy and only generate one wildcard certificate from him ? Or just a simple certificate or a certificate with all the subdomain? Do I need to push theses certificates on all the backend servers?

  • What about the communication between backend servers and the reverse proxy? need a certificate from certbot to?

From my perspective, the outsider client only know the reverse proxy but i’m not sure

1 Like

Hi @jode27195,

By Let's Encrypt policy, you need to use DNS-01 challenges to prove your control over a domain name in order to get wildcard certificates for it. So if you use Certbot on the reverse proxy, you'd still need to use the OVH plugin and have your OVH DNS credentials present on the reverse proxy to be used by the plugin.

For a non-wildcard certificate, you can probably generate it directly on the reverse proxy machine using the HTTP-01 challenge method (receiving an incoming connection on the reverse proxy to prove your control of each name).

No, not if the reverse proxy handles the HTTPS protocol itself (which is the most common case when people refer to a "reverse proxy", as opposed to "port forwarding").

In this case you could just use unencrypted HTTP for this connection (if you trust that your local network is completely secure). You would still have HTTPS between the reverse proxy and the browsers connecting over the Internet, so the communications over the public Internet would be protected.

You could also use another approach such as a self-signed certificate for the back-end servers. In this case you would need to figure out how to tell the reverse proxy software to accept this certificate when it makes its own connection to the back-end servers via HTTPS.

1 Like

Hi schoen, thank you for your (complete) answer.

  • Wildcard certificate need the DNS-01 challenge. Ok, the improvement is still here, because I dont need to use rsync to mirror my folder containing the certificate to others virtual machines.

  • HTTP-01 chalklenge: Ok same thing here, but It’s more automatised with the certbot-renew. Just need to add the new subDomain when I need it.

Can you give me your advices/recommendation about that ? The use of a wildcard certificate is better/recommanded or it’s better to use a certificate by subDomain?

A self-signed certificate is still a good option for internal backend servers ?

We usually recommend explicitly listing all of the subdomains in your certificate, unless (1) you need to keep some of them a secret from the public, or (2) they change very frequently.

It should be fine technically, although it might be a little inconvenient to set up your reverse proxy to accept this certificate. It's more common to use HTTP instead of HTTPS in this situation, but that does require trusting the security of the internal network.

Thank you schoen.

So the use of a wildcard certificate is not recommanded for a standard utilisation unless If I want specific Website/service “secret”. There I can use the Dns-01 challenge but I need to give the parameter -d with the names of my website and after the "*.domain " for “secret” website.

Thank you :slight_smile:

Last question but not least, A smtp server need a named certificated or can work with a wildcard certificate ? I’m almost sure there is some restriction from that

Hi everyone,

I have installed and configured the reverse proxy.

Now I want to generate certificat for certain of my subdomain from that reverse Proxy.
When I make the ACME challenge with certbot --nginx I encounter the following error:

“The client lacks sufficient authorization”

From what I have read, it seems to be related to the .Well-Know folder…
Do I need to add specific line to my reverse proxy configuration’s file ?

Hi @jode27195

that's a very unspecific error message.

Please answer the following questions. That's the standard template of #help


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi @JuergenAuer,

Sorry, I did not remark (or I forget ?) the presence of template.

My domain is: IT-SWITCH.COM
I ran this command: sudo certbot --nginx -d it-switch.com -d nextcloud.it-switch.com -d (that all for now)

It produced this output:

"Failed authorization procedure. nextcloud.it-switch.com (http-01): urn:ietf:params:acme:error:unautho rized :: The client lacks sufficient authorization :: Invalid response from http://nextcloud.it-switc h.com/index.php/login [212.71.14.117]: "\n<html class=“ng-csp” data-placeholder-focus=“false” lang=“en” data-locale=“en” >\n\t<head\n data-requesttoken=“Y0vQ”, it-switch.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invali d response from http://www.it-switch.com [213.186.33.5]: “<html xml:lang=“fr-FR” lang=“fr-FR”>\n< head>\n<title qtlid=“28806”>F\xe9licitations ! Votre domaine a bien \xe9t\xe9 cr\xe9\xe9 chez OVH ! </”
"

My web server is (include version): nginx:1.15.12(reverse proxy. Other servers are Apache2)

The operating system my web server runs on is (include version): CentOS Linux release 7.6.1810 (Core) (reverse proxy) Other systems are (ubuntu,debian,centos)

My hosting provider, if applicable, is: no/ Domain from OVH

I can login to a root shell on my machine (yes or no, or I don’t know): YES, HomeLab

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

edit: For Now, I disable the Waf rule on my Sophos Xg

Puh, there are some errors visible.

First - two different ip addresses: Is your Certbot able to create the validation files on both ip addresses? If not, that can't work.

Second, your nextcloud redirects to a login page. This isn't the validation file Letsencrypt checks. Now, your nextcloud subdomain is invisible.

Third: Your main domain has a wrong redirect ( https://check-your-website.server-daten.de/?q=it-switch.com ):

Domainname Http-Status redirect Sec. G
http://it-switch.com/
213.186.33.5 302 http://www.it-switch.com 1.257 D
http://www.it-switch.com 200 0.150 H
http://www.it-switch.com/
213.186.33.5 200 0.134 H
https://it-switch.com/
213.186.33.5 302 http://www.it-switch.com 0.437 N
Certificate error: RemoteCertificateNameMismatch
https://www.it-switch.com/
213.186.33.5 200 0.326 N
Certificate error: RemoteCertificateNameMismatch
http://it-switch.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
213.186.33.5 302 http://www.it-switch.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.057 D
Visible Content: 302 Found nginx
http://www.it-switch.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
213.186.33.5 302 http://www.it-switch.com 0.076 D
Visible Content: 302 Found nginx

http + non-www + /.well-known/acme-challenge/random-filename redirects to www (that's ok), but the www version redirects to "/". So it's the same, "/" doesn't have the validation file.

There are two different options:

  • change your redirects so /.well-known/acme-challenge isn't redirected (or)
  • change your redirects so /.well-known/acme-challenge is redirected complete (same folder and filename). Then you may use the webroot authenticator. You can redirect different domains to the same destination domain (maybe a third domain) and subfolder, if only port 80 and 443 is used.

But Certbot must be able to create the validation files, Letsencrypt must be able to check these files.

@JuergenAuer

Thank you for your answer. I think I don’t understand entierely, but I Have made some cleaning In my domain.

Currently, I Just have A dyndns to nextcloud.it-switch.com and a cname from www.it-switch.com to nextcloud.com (In the futur a True www will exist…)

Currently, the traffic is redirect to my NGinx reverse Proxy then to my Apache web server (other vm).

If I run"sudo certbot certonly -d nextcloud.it-switch.com --dry-run" I have:

Ok, thank you everyone :slight_smile:

I don’t know how, But I managed to resolve the error by cleaning my DNS, then reinstalling NGINX (did not listen on prot 80/443, Don’t know why) and that’s good :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.