SSL on Ubuntu 16.04 with apache and varnish

Thus the “trick” I’ve been trying to supply.

Probably

/etc/varnish/default.vcl

# Default backend definition. Set this to point to your content server.
backend default {
    .host = "195.201.138.70";
    .port = "8080";
}

EDIT:

/etc/default/varnish

VARNISH_LISTEN_PORT=80

@_az I didn't make any changes yet. So, I should give in to the certonly , right? What about the previous certificate that I created?

Yes, but you could add (as I said earlier) another listener on another IP:80
Like:
Listen 127.0.0.123:80
that will suffice for the certbot listen port 80 check.
Then we simply face the check for FQDNs.
Which can be added as well.
I just need to grasp where…

Please show the apache.conf file.

If you already have a certificate issued, then you can just create a virtual host on Apache.

e.g.

<VirtualHost *:443>
  ServerName leptokaropoulos.gr
  ServerAlias www.leptokaropoulos.gr
  ProxyPass / http://localhost:80/
  ProxyPassReverse / http://localhost:80/

  SSLEngine on
  SSLCertificateFile      /etc/letsencrypt/live/leptokaropoulos.gr/cert.pem
  SSLCertificateChainFile /etc/letsencrypt/live/leptokaropoulos.gr/chain.pem
  SSLCertificateKeyFile   /etc/letsencrypt/live/leptokaropoulos.gr/privkey.pem
</VirtualHost>

I think I understand what @rg305 was suggesting now, sorry for the outburst

rethinking this through...

Apache listens on 443 (https)
Proxies to port 80 (varnish) http
varnish proxies to 8080 also http.

Yes, this can work.

By seeing @_az 's response let me add this last thing (I don’t have a live folder inside /etc/letsencrypt):

etc/letsencrypt/
├── accounts
│   └── acme-v01.api.letsencrypt.org
│       └── directory
│           └── [random numbers and characters]
│               ├── meta.json
│               ├── private_key.json
│               └── regr.json
├── cli.ini
├── csr
│   └── 0000_csr-certbot.pem
├── keys
│   └── 0000_key-certbot.pem
├── options-ssl-apache.conf
├── renewal
└── renewal-hooks
    ├── deploy
    ├── post
    └── pre

Well, it will be necessary in the end in order to include Varnish in the request path, so if it does cause a loop, it’ll need to be fixed with x-forwarded-proto etc.

Looks like you haven’t created a certificate yet. Give it a try with the certonly command (or the way @rg305 suggested, up to you).

try:
certbot certificates

and please show the apache.conf file.

No certs found.

@rg305 do you mean ports.conf or apache2.conf ?

send both if you can

just remove any lines that start with #

Guys, I found this.

/etc/apache2/ports.conf:

Listen 8080

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

/etc/apache2/apache2.conf:

Mutex file:${APACHE_LOCK_DIR} default
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
        Options FollowSymLinks
        AllowOverride None
        Require all denied
</Directory>
<Directory /usr/share>
        AllowOverride None
        Require all granted
</Directory>
<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
</Directory>
<Directory /var/www/html/>
        AllowOverride All
        Require all granted
        Options Indexes FollowSymLinks
</Directory>
AccessFileName .htaccess
<FilesMatch "^\.ht">
        Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf

Sure, you can use that article. It’s more or less what I was proposing.

The only problem with it is that it’s incompatible with --apache, you’d need to use certonly with --webroot before you setup the HTTPS listener.

The first design is exactly as @_az suggested.

Ok that was lacking...
I need to see what's in these:

try here first:
ls -l /etc/apache2/sites-enabled/
Probably just a default.conf file, if so, post that here.
Otherwise show the list and post them all!

/etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:8080>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

EDIT:

ls /etc/apache2/conf-enabled/ :

charset.conf localized-error-pages.conf other-vhosts-access-log.conf security.conf serve-cgi-bin.conf

Yeah this (and ports.conf) is were it all happens

Could I make the following new entry (as mentioned from @_az), for simplicity, on ports.conf :

<VirtualHost *:443>
  ServerName leptokaropoulos.gr
  ServerAlias www.leptokaropoulos.gr
  ProxyPass / http://localhost:80/
  ProxyPassReverse / http://localhost:80/

  SSLEngine on
  SSLCertificateFile      /etc/letsencrypt/live/leptokaropoulos.gr/cert.pem
  SSLCertificateChainFile /etc/letsencrypt/live/leptokaropoulos.gr/chain.pem
  SSLCertificateKeyFile   /etc/letsencrypt/live/leptokaropoulos.gr/privkey.pem
</VirtualHost>

EDIT:

And then (or previously) create a new certificate by using certonly.

I would try this:
modify file
ports.conf
add
Listen 127.0.0.123:80
right after
Listen 8080

copy 000-default.conf to new file
cp /etc/apache2/sites-enabled/000-default.conf /etc/apache2/sites-enabled/127-80-default.conf

modify /etc/apache2/sites-enabled/127-80-default.conf
change
<VirtualHost *:8080>
to
<VirtualHost 127.0.0.123:80>

restart apache web server
then let certbot do its’ thing.