SSL cert creation behind reverse proxy

cmonty14 · March 18, 2018, 11:16pm

Hi!
I want to create SSL certs for domains / subdomains that can only be accessed after a reverse proxy.
There’s no single web server but multiple servers offering different web services. Having only 1 public IP the requests are directed to the relevant server by the reverse proxy server.
This reverse proxy has SSL termination enabled + any http request will be redirected to https.

I’ve installed certbot on a Proxmox VE server and started cert creation with option “standalone”. However the verification failed; here’s the log output:
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c’
to cancel): biszumbitterenen.de
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for biszumbitterenen.de
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. biszumbitterenen.de (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://biszumbitterenen.de/.well-known/acme-challenge/-d4Pf49aKv9B-U0hKzrri05UuvE6o2Cwd9zpQwfsAp8 [78.94.230.158]: 503

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: biszumbitterenen.de
Type: unauthorized
Detail: Invalid response from
http://biszumbitterenen.de/.well-known/acme-challenge/-d4Pf49aKv9B-U0hKzrri05UuvE6o2Cwd9zpQwfsAp8
[78.94.230.158]: 503

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

What is the recommended procedure for cert creation considering this setup (reverse proxy + Proxmox VE)?

My domain is:
biszumbitterenen.de
I ran this command:
certbot certonly
It produced this output:
Failed authorization procedure. biszumbitterenen.de (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authori
zation :: Invalid response from http://biszumbitterenen.de/.well-known/acme-challenge/JKAs47KiNtF8Ah0kahoJ2kTAszj-Wi6TB_zB7bPp2Qc
[78.94.230.158]: 503
My web server is (include version):
n/a
The operating system my web server runs on is (include version):
Debian 9.4
My hosting provider, if applicable, is:
Unitymedia
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
n/a

_az · March 18, 2018, 11:22pm

I also use Proxmox and a reverse proxy approach.

Assuming you are using haproxy, it’s a pretty simple matter of routing requests to the Certbot backend:

frontend ft_http
  mode http
  bind :80

  acl acl_letsencrypt path_beg /.well-known/acme-challenge/
  use_backend be_letsencrypt if acl_letsencrypt

  # then whatever else you have ...

backend be_letsencrypt
  server le 127.0.0.1:402

and when running Certbot in standalone mode, tell it to listen on :402:

--http-01-port 402

I use acmetool to achieve the same thing, which has a “proxy” mode that is basically standalone on port 402 and creates a combined haproxy certificate file for me, but the reasoning and implementation is identical.

cmonty14 · March 18, 2018, 11:31pm

Indeed I run HAProxy, however this service is running on a dedicated server, too.
This means on Proxmox VE server there's only another service running:
certbot
Firewall (shorewall)

What is the relevant configuration of HAProxy?
And do I need to open a firewall port?

THX

_az · March 18, 2018, 11:35pm

I’m afraid I don’t understand what you mean.

As long as haproxy is routing requests to Certbot in the way I suggested, no firewall changes are required, as long as you can reach haproxy on port 80 from the outside internet.

cmonty14 · March 18, 2018, 11:43pm

I can reach HAProxy on port 80 from outside.
But any request on port 80 will be redirected to port 443 + SSL termination on HAProxy.
This means any service (behind HAProxy) is listening on port 80 but only accessible on port 443 from outside. Hereby I don’t need SSL certs on any server but only on HAProxy.

_az · March 19, 2018, 12:46am

Yeah, that’s what I understood from your question too.

However, since the acme-challenge HTTP requests arrive over port 80 anyway, you may as well just put the ACL into the port 80 frontend on the haproxy server.

If you want, you could put the ACL into the port 443 frontend block, makes practically no difference, as long as your HTTP-to-HTTPS redirect retains the URL path correctly.

cmonty14 · March 19, 2018, 6:12am

There’s no seperation of HTTP and HTTPS frontends respectively. If I seperate it, I get 503 when calling HTTP service while HTTPS is working.

_az · March 19, 2018, 7:12am

Well, if you care to post your full haproxy.cfg, I’d be happy to show you how to configure it for Certbot in standalone mode.

system · April 18, 2018, 7:12am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.