Regarding letsencrypt certs and reverse proxy

NethServer Version: 7.7
Module: httpd

Server1 is the reverse proxy for Server2.
Server1 is not sending the request for /.well-kno**** to Server2.

I’m not an apache anything, never mind expert, but it appears that the alias in letsencrypt.conf on Server1 is forcing the request to the conf defined directory in Server1 instead of passing it to Server2.

Is there a discussion here on why we’re doing it that way?

If I scf the cert from Server1 then both have the same cert with all the server names.

edit;

I’m still working this through.
The Internetz tell me;
Alias allows us to use this path globally over all virtualhosts.
ProxyPass /.well-known/acme-challenge ! will negate any proxy handling on this path

and, this post brings more confusion

current virtualhosts.conf;

#
# Default virtualhost for proxypass
#
<VirtualHost *:80>
    IncludeOptional conf.d/default-virtualhost.inc
</VirtualHost>



#
# Virtual Host hostname.domain.com - *:443
# Description :

<VirtualHost *:443>

    ServerName hostname.domain.com


    #20ssl_engine
    SSLEngine On

    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off

    # Reverse Proxy (with exclusion of local Letsencrypt challenge path)
    ProxyPassMatch ^/.well-known/acme-challenge/ !
    ProxyPass  / http://192.168.124.227/ max=3 retry=30
    ProxyPassReverse / http://192.168.124.227/

   ProxyPreserveHost On

    <Location "/">
      <RequireAll>
        Require all granted
      </RequireAll>
    </Location>

</VirtualHost>


#
# Virtual Host hostname.domain.com - *:80
# Description :

<VirtualHost *:80>

    ServerName hostname.domain.com




    # Reverse Proxy (with exclusion of local Letsencrypt challenge path)
    ProxyPassMatch ^/.well-known/acme-challenge/ !
    ProxyPass  / http://192.168.124.227/ max=3 retry=30
    ProxyPassReverse / http://192.168.124.227/

   ProxyPreserveHost On

    <Location "/">
      <RequireAll>
        Require all granted
      </RequireAll>
    </Location>

</VirtualHost>

[root@server9b conf.d]#

I think to keep letsencrypt working on the main server.
It’s still a common use case.

No need to install certificates on your backend servers with SSL Termination

If you want to use letsencrypt on backend servers you may have a look at acme-dns using DNS instead of web access for issuing the certs:

https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_acme-dns

1 Like

I’ve watched that discussion. I’d have to change the registrar for one, for two I’m still trying to understand apache and rp well enough to understand why in the hell I can’t forward the challenge to the server requesting the cert when I seem to see examples all over the internetz that it’s done on other vanilla apache installs. It seems a simple thing to me, I can forward any manner of request except /.acme***. The issue is that I can’t sit down and work it through, I only have time to pick at it a bit at a time and this is obviously going to take me more than just a few minutes.

Why? The only thing you’d need to change to use acme-dns would be DNS CNAME records. Unless your registrar locks you into a particular DNS host, and that host doesn’t allow you to set CNAME records, there shouldn’t be any need to change registrars.

1 Like

I still recommend to put all needed domains to the letsencrypt certificate on server1 and reverse proxy to server2 and don’t mind about certificates on server2 anymore or to use acme-dns.

I didn’t test if it works with letsencrypt but to change the reverse proxy behavior you may create a custom template on server1:

mkdir -p /etc/e-smith/templates-custom/httpd/proxy-extra/
cp /etc/e-smith/templates/httpd/proxy-extra/30ProxyPass /etc/e-smith/templates-custom/httpd/proxy-extra/30ProxyPass

Edit /etc/e-smith/templates-custom/httpd/proxy-extra/30ProxyPass:

Edit the description to show that this is a custom template and comment second line so it should look like:

    # CUSTOM TEMPLATE - Reverse Proxy (NO exclusion of local Letsencrypt challenge path)
    # ProxyPassMatch ^/.well-known/acme-challenge/ !
    ProxyPass  / { ($OUT = $Target) =~ s|/*$|/| } max=3 retry=30
    ProxyPassReverse / { ($OUT = $Target) =~ s|/*$|/| }

Apply the changes:

signal-event nethserver-httpd-save

Now even /acme-challenge/ should be passed to server2. This change affects all reverse proxies.

This could be tested in a few minutes.
If anything goes wrong just erase the custom template and apply changes to get back to the old settings:

rm -rf /etc/e-smith/templates-custom/httpd/proxy-extra/
signal-event nethserver-httpd-save
1 Like

Thanks for helping, I was under the impression it required an api provided by the dns host, in this case also the registrar. Still working on understanding this.

Yes, that works with http & https, non-virtualhost based.

Does not work with a default (non-virtualhost) install of nextcloud; fqdn/nextcloud

No, that’s the purpose of acme-dns: It provides that DNS server with an API, so you don’t otherwise need one. But even so, you can switch DNS hosts (e.g., to Cloudflare) without transferring the domain to a different registrar.

1 Like