SSL cert creation behind reverse proxy

I want to create SSL certs for domains / subdomains that can only be accessed after a reverse proxy.
There’s no single web server but multiple servers offering different web services. Having only 1 public IP the requests are directed to the relevant server by the reverse proxy server.
This reverse proxy has SSL termination enabled + any http request will be redirected to https.

I’ve installed certbot on a Proxmox VE server and started cert creation with option “standalone”. However the verification failed; here’s the log output:
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c’
to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from []: 503


What is the recommended procedure for cert creation considering this setup (reverse proxy + Proxmox VE)?

My domain is:
I ran this command:
certbot certonly
It produced this output:
Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authori
zation :: Invalid response from
[]: 503
My web server is (include version):
The operating system my web server runs on is (include version):
Debian 9.4
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

I also use Proxmox and a reverse proxy approach.

Assuming you are using haproxy, it’s a pretty simple matter of routing requests to the Certbot backend:

frontend ft_http
  mode http
  bind :80

  acl acl_letsencrypt path_beg /.well-known/acme-challenge/
  use_backend be_letsencrypt if acl_letsencrypt

  # then whatever else you have ...

backend be_letsencrypt
  server le

and when running Certbot in standalone mode, tell it to listen on :402:

--http-01-port 402

I use acmetool to achieve the same thing, which has a “proxy” mode that is basically standalone on port 402 and creates a combined haproxy certificate file for me, but the reasoning and implementation is identical.

Indeed I run HAProxy, however this service is running on a dedicated server, too.
This means on Proxmox VE server there's only another service running:
Firewall (shorewall)

What is the relevant configuration of HAProxy?
And do I need to open a firewall port?


I’m afraid I don’t understand what you mean.

As long as haproxy is routing requests to Certbot in the way I suggested, no firewall changes are required, as long as you can reach haproxy on port 80 from the outside internet.

I can reach HAProxy on port 80 from outside.
But any request on port 80 will be redirected to port 443 + SSL termination on HAProxy.
This means any service (behind HAProxy) is listening on port 80 but only accessible on port 443 from outside. Hereby I don’t need SSL certs on any server but only on HAProxy.

Yeah, that’s what I understood from your question too.

However, since the acme-challenge HTTP requests arrive over port 80 anyway, you may as well just put the ACL into the port 80 frontend on the haproxy server.

If you want, you could put the ACL into the port 443 frontend block, makes practically no difference, as long as your HTTP-to-HTTPS redirect retains the URL path correctly.

There’s no seperation of HTTP and HTTPS frontends respectively. If I seperate it, I get 503 when calling HTTP service while HTTPS is working.

Well, if you care to post your full haproxy.cfg, I’d be happy to show you how to configure it for Certbot in standalone mode.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.