Using certbot behind an SSL reverse proxy

Hello,

I've an Apache instance serving as a reverse proxy for various LAN-only hosts. Connection between the reverse proxy and the servers behind is in an untrusted space, so http cannot be used, only https. Here's a sample VHost at the reverse proxy level:

<VirtualHost *:443>
ServerName roundcube.ailesse.info
SSLEngine on
SSLProxyEngine on
ProxyPreserveHost on
SSLCertificateFile /etc/letsencrypt/live/roundcube.ailesse.info/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/roundcube.ailesse.info/privkey.pem

    ProxyPass / https://roundcube.ailesse.lan/
    ProxyPassReverse / https://roundcube.ailesse.lan/

    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
    <Proxy *>
            Order deny,allow
            Allow from all
    </Proxy>

certbot works fine on the reverse proxy and can properly manage its certificates.

Now on the backend server, the VHost configuration is the following:

<VirtualHost *:443>
ServerName roundcube.ailesse.info
ServerAlias roundcube.ailesse.lan
SSLEngine on
SSLCertificateFile /etc/ssl/private/roundcube.ailesse.info.crt
SSLCertificateKeyFile /etc/ssl/private/roundcube.ailesse.info.key

    <Directory /afs/ailesse.lan/service/www/info/ailesse/roundcube/roundcube/>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride all
            RewriteEngine On
            Require all granted
    </Directory>

When I try to run certbot on the backend server, I get the following error:

certbot --apache -d roundcube.ailesse.info
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for roundcube.ailesse.info
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. roundcube.ailesse.info (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 03b9f3448b6a969e0a33a00c5d90662f.84c6040bfb7011d26bd19be8c62c44cd.acme.invalid from 91.121.52.222:443. Received 1 certificate(s), first certificate had names "*.ailesse.info, ailesse.info"

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: roundcube.ailesse.info
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    03b9f3448b6a969e0a33a00c5d90662f.84c6040bfb7011d26bd19be8c62c44cd.acme.invalid
    from 91.121.52.222:443. Received 1 certificate(s), first
    certificate had names "*.ailesse.info, ailesse.info"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

I'm quite unsure on how to configure my system properly. I've searched for examples, but everytime a reverse proxy is used, it is always proxying through http, not https, between the proxy and the backend.

Can someone help me?

By default certbot will use the tls-sni-01 method of verification, which won’t work behind a proxy. You’ll need to force http-01 webroot authentication instead.

 certbot certonly --webroot -w /var/www/html -d example.com
 certbot install --apache
2 Likes

Ah, I should have figured it out, it is indeed working properly using your explanation.

Thanks a lot for your help !

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.