Hello,
I've an Apache instance serving as a reverse proxy for various LAN-only hosts. Connection between the reverse proxy and the servers behind is in an untrusted space, so http cannot be used, only https. Here's a sample VHost at the reverse proxy level:
<VirtualHost *:443>
ServerName roundcube.ailesse.info
SSLEngine on
SSLProxyEngine on
ProxyPreserveHost on
SSLCertificateFile /etc/letsencrypt/live/roundcube.ailesse.info/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/roundcube.ailesse.info/privkey.pemProxyPass / https://roundcube.ailesse.lan/ ProxyPassReverse / https://roundcube.ailesse.lan/ Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;" <Proxy *> Order deny,allow Allow from all </Proxy>
certbot works fine on the reverse proxy and can properly manage its certificates.
Now on the backend server, the VHost configuration is the following:
<VirtualHost *:443>
ServerName roundcube.ailesse.info
ServerAlias roundcube.ailesse.lan
SSLEngine on
SSLCertificateFile /etc/ssl/private/roundcube.ailesse.info.crt
SSLCertificateKeyFile /etc/ssl/private/roundcube.ailesse.info.key<Directory /afs/ailesse.lan/service/www/info/ailesse/roundcube/roundcube/> Options Indexes FollowSymLinks MultiViews AllowOverride all RewriteEngine On Require all granted </Directory>
When I try to run certbot on the backend server, I get the following error:
certbot --apache -d roundcube.ailesse.info
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for roundcube.ailesse.info
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. roundcube.ailesse.info (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 03b9f3448b6a969e0a33a00c5d90662f.84c6040bfb7011d26bd19be8c62c44cd.acme.invalid from 91.121.52.222:443. Received 1 certificate(s), first certificate had names "*.ailesse.info, ailesse.info"IMPORTANT NOTES:
The following errors were reported by the server:
Domain: roundcube.ailesse.info
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
03b9f3448b6a969e0a33a00c5d90662f.84c6040bfb7011d26bd19be8c62c44cd.acme.invalid
from 91.121.52.222:443. Received 1 certificate(s), first
certificate had names "*.ailesse.info, ailesse.info"To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
I'm quite unsure on how to configure my system properly. I've searched for examples, but everytime a reverse proxy is used, it is always proxying through http, not https, between the proxy and the backend.
Can someone help me?