[Solved] Renewing a Certificate with a Proxy Server

I have a certificate to renew on our web server (it’s running Plesk 12.5.3 and CentOS 6.9) but the site (it’s a Wordpress site) goes through a proxy server (Sucuri). Our domain is pointed to the IP address at Sucuri rather than our actual web server IP address. I understand this is an issue because Let’s Encrypt wants to verify the IP address the domain resolves to. So when I attempt to renew the certificate through Plesk I receive the following error:

Error: Could not issue a Let’s Encrypt SSL/TLS certificate for thedomain.com

The authorization token is not available at http://thedomain.com/.well-known/acme-challenge/IcpQRZQL85enps323luQths_ypP3yB82DTjQA6y9Gak.
To resolve the issue, make it is possible to download the token file via the above URL.
See the related Knowledge Base article for details.

Additional error details:
Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/ZYDxLv8Okvy0VUxkkUDgRts9p2JfmqGv6wmSXy6bWdw.
Details:
Type: urn:acme:error:unauthorized
Status: 403
Detail: Invalid response from http://thedomain.com/.well-known/acme-challenge/IcpQRZQL85enps323luQths_ypP3yB82DTjQA6y9Gak: "

404 Not Found

Not Found

<p"

Is there any way to renew the certificate without having to point the domain back to our web server? I recently took over our web server and site management in the interim while we hire someone that is trained in this (I know how to do some maintenance on the server and our site, but not a lot).

Hi @eric19,

This could work behind a proxy server, but the proxy server would have to be willing to proxy requests for files under http://thedomain.com/.well-known/acme-challenge/ by forwarding those requests on to your back-end server. If the proxy doesn’t do that and can’t be configured to do that, you can no longer renew your certificate via this method. So, I would suggest either asking the proxy server operator about that, or taking the proxy server out of the loop at least temporarily.

DNS auth may be an option; should all else fail.

I’m facing a similar situation. Hosted on Linode and usnig Sucuri reverse proxy/WAF.
Now, I want to move my WordPress powered site from https from http
Sucuri provides free Lets’Encrypt SSL certiciate… But how do i enable SSL on my hosting end to make it Full https (strict)

Does LetsEncrypt support this configuration where the DNS is pointing ot Sucuri WAF instead of my own server?

Thanks

If the proxy passes web requests through to your server, you can use the HTTP-01 challenge method which is based on being able to create a file in /.well-known/acme-challenge. If the certificate authority requests the file from the proxy and the proxy requests it from your server, that should be fine!

1 Like

Thanks, schoen. This is way beyond my head. will settle with partial https for now :slight_smile:

All these days, I used to access my WordPress Admin Dashboard bypassing my WAF (using HOSTS file on my Windows PC) . This doesn't work anymore after I redirect all http traffic to https.

Is self-signed certificate on the hosting end the solution?

Thanks again.

Hi @TWBUser,

I would suggest starting a new forum thread that mentions the technologies that you're using in the title.

With HTTPS you don't have a signed certificate that matches the private name that you set in the HOSTS file. If it's a public domain name that you control, you can get a certificate for it and you can still use the HOSTS file to access it directly by IP address after the certificate is installed. However, the process of getting the certificate can be more complex depending on the exact behavior of the WAF.

If the WAF talks to the back-end server via HTTP instead of HTTPS (which is not necessarily a best practice if they're not on the same LAN or if there are other devices on that LAN as well), then you could use a self-signed certificate for this purpose for your administration. There is nothing insecure about self-signed certificates when the person who installed them is the only person who accepts them.

1 Like

Thanks everyone… It’s sorted out now! :sunglasses:

[Fix] Sucuri and LetsEncrypt - ACME Domain Authorization Failed
http://www.winhelponline.com/blog/sucuri-serverpilot-letsencrypt-acme-domain-authorization-failed/

As @schoen said, I had to ask the techs to enable the “forward requests” option to fix the problem.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.