Server1 is the reverse proxy for Server2.
Server1 is not sending the request for /.well-kno**** to Server2.
I’m not an apache anything, never mind expert, but it appears that the alias in letsencrypt.conf on Server1 is forcing the request to the conf defined directory in Server1 instead of passing it to Server2.
Is there a discussion here on why we’re doing it that way?
If I scf the cert from Server1 then both have the same cert with all the server names.
edit;
I’m still working this through.
The Internetz tell me;
Alias allows us to use this path globally over all virtualhosts.
ProxyPass /.well-known/acme-challenge ! will negate any proxy handling on this path
and, this post brings more confusion
current virtualhosts.conf;
#
# Default virtualhost for proxypass
#
<VirtualHost *:80>
IncludeOptional conf.d/default-virtualhost.inc
</VirtualHost>
#
# Virtual Host hostname.domain.com - *:443
# Description :
<VirtualHost *:443>
ServerName hostname.domain.com
#20ssl_engine
SSLEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
# Reverse Proxy (with exclusion of local Letsencrypt challenge path)
ProxyPassMatch ^/.well-known/acme-challenge/ !
ProxyPass / http://192.168.124.227/ max=3 retry=30
ProxyPassReverse / http://192.168.124.227/
ProxyPreserveHost On
<Location "/">
<RequireAll>
Require all granted
</RequireAll>
</Location>
</VirtualHost>
#
# Virtual Host hostname.domain.com - *:80
# Description :
<VirtualHost *:80>
ServerName hostname.domain.com
# Reverse Proxy (with exclusion of local Letsencrypt challenge path)
ProxyPassMatch ^/.well-known/acme-challenge/ !
ProxyPass / http://192.168.124.227/ max=3 retry=30
ProxyPassReverse / http://192.168.124.227/
ProxyPreserveHost On
<Location "/">
<RequireAll>
Require all granted
</RequireAll>
</Location>
</VirtualHost>
[root@server9b conf.d]#
I’ve watched that discussion. I’d have to change the registrar for one, for two I’m still trying to understand apache and rp well enough to understand why in the hell I can’t forward the challenge to the server requesting the cert when I seem to see examples all over the internetz that it’s done on other vanilla apache installs. It seems a simple thing to me, I can forward any manner of request except /.acme***. The issue is that I can’t sit down and work it through, I only have time to pick at it a bit at a time and this is obviously going to take me more than just a few minutes.
Why? The only thing you’d need to change to use acme-dns would be DNS CNAME records. Unless your registrar locks you into a particular DNS host, and that host doesn’t allow you to set CNAME records, there shouldn’t be any need to change registrars.
I still recommend to put all needed domains to the letsencrypt certificate on server1 and reverse proxy to server2 and don’t mind about certificates on server2 anymore or to use acme-dns.
I didn’t test if it works with letsencrypt but to change the reverse proxy behavior you may create a custom template on server1:
Thanks for helping, I was under the impression it required an api provided by the dns host, in this case also the registrar. Still working on understanding this.
No, that’s the purpose of acme-dns: It provides that DNS server with an API, so you don’t otherwise need one. But even so, you can switch DNS hosts (e.g., to Cloudflare) without transferring the domain to a different registrar.
I tried this today and it worked fine. The nice thing about this is that all the server names behind the proxy are not listed on any one cert.
Thank you.
I was getting redirect errors for the default nextcloud install on one of the nethserver installs, I could not get it to load /nextcloud this way, otherwise default web worked.