Using certbot when reverse proxying to a container

I have a setup where I have a host system saturn that runs multiple containers using the LXD hypervisor. Apache is configured to reverse proxy to specific containers, which run on private internal IPs. SSL certificates are stored on saturn and configured in the container-specific Apache virtual host. This seems to pose a problem when using certbot. Let’s use titan as an example of a container running on saturn. All of the challenge methods seem to be invalid:

  • I can’t spawn a server on port 80 because Apache is always bound to port 80 on saturn.
  • I can’t put a file in the webroot because the webroot only exists inside titan, and certbot doesn’t know how to reach inside it.
  • I can’t make DNS changes dynamically as there’s no API to do so in my organization.

What could I do to use certbot in this situation?

Apache 2.4.6, Centos 7, Certbot 1.3.0, I have root access.

The --apache plugin should work, because:

Certbot's --apache plugin temporarily modifies the virtual host to add a special handler for /.well-known/acme-challenge/, so that it's served locally rather than forwarded to titan.

So in effect, the reverse proxying remains the same, except for a single exclusion for that path, which will be served directly from saturn.

Once the domain validation is complete, Certbot's Apache plugin reverts the change.

If that doesn't work, then something is wrong with the plugin or your Apache configuration. You can also try to achieve the same effect with a manually configured exclusion.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.