I have a certificate to renew on our web server (it’s running Plesk 12.5.3 and CentOS 6.9) but the site (it’s a Wordpress site) goes through a proxy server (Sucuri). Our domain is pointed to the IP address at Sucuri rather than our actual web server IP address. I understand this is an issue because Let’s Encrypt wants to verify the IP address the domain resolves to. So when I attempt to renew the certificate through Plesk I receive the following error:
Error: Could not issue a Let’s Encrypt SSL/TLS certificate for thedomain.com
Is there any way to renew the certificate without having to point the domain back to our web server? I recently took over our web server and site management in the interim while we hire someone that is trained in this (I know how to do some maintenance on the server and our site, but not a lot).
This could work behind a proxy server, but the proxy server would have to be willing to proxy requests for files under http://thedomain.com/.well-known/acme-challenge/ by forwarding those requests on to your back-end server. If the proxy doesn’t do that and can’t be configured to do that, you can no longer renew your certificate via this method. So, I would suggest either asking the proxy server operator about that, or taking the proxy server out of the loop at least temporarily.
I’m facing a similar situation. Hosted on Linode and usnig Sucuri reverse proxy/WAF.
Now, I want to move my WordPress powered site from https from http
Sucuri provides free Lets’Encrypt SSL certiciate… But how do i enable SSL on my hosting end to make it Full https (strict)
Does LetsEncrypt support this configuration where the DNS is pointing ot Sucuri WAF instead of my own server?
If the proxy passes web requests through to your server, you can use the HTTP-01 challenge method which is based on being able to create a file in /.well-known/acme-challenge. If the certificate authority requests the file from the proxy and the proxy requests it from your server, that should be fine!
I would suggest starting a new forum thread that mentions the technologies that you’re using in the title.
With HTTPS you don’t have a signed certificate that matches the private name that you set in the HOSTS file. If it’s a public domain name that you control, you can get a certificate for it and you can still use the HOSTS file to access it directly by IP address after the certificate is installed. However, the process of getting the certificate can be more complex depending on the exact behavior of the WAF.
If the WAF talks to the back-end server via HTTP instead of HTTPS (which is not necessarily a best practice if they’re not on the same LAN or if there are other devices on that LAN as well), then you could use a self-signed certificate for this purpose for your administration. There is nothing insecure about self-signed certificates when the person who installed them is the only person who accepts them.