Let's Encrypt certificate renewal fails for proxied sites

Discussion in 'Installation/Configuration' started by Etcetera, Jul 29, 2018.

Tags:
  1. Etcetera

    Etcetera Member HowtoForge Supporter

    Let's Encrypt certificate renewal fails for proxied sites – which of course would have been expected behaviour, would I have thought about it earlier.

    On one of my ISPConfig-managed servers I have three websites which are served by separate services on different ports, for which Apache acts as a proxy + reverse proxy, adding SSL and serving the content via port 443, using a Let's Encrypt certificate. When I had to temporarily disable the proxying configuration snippet in ISPConfig in order to enable SSL and create the certificate in the first place, I should have suspected that automatic renewal might encounter a problem...

    My question now is, might there perhaps be any way around manually renewing the certificates every three months, with disabling proxying before and re-enabling it after the act?

    I fear that there will, come time, come more services I'd like to serve in a similar way...

    Cheers,
    Etc
     
    Etcetera, Jul 29, 2018
    #1
  2. Etcetera

    Etcetera Member HowtoForge Supporter

    I haven't yet fully grasped what's happening in the ISPConfig-generated .vhost files, but although I find this twice there (once for :80, once for :443):
    Code:
    RewriteEngine on
RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
RewriteRule ^ - [END]
    I find that adding this:
    Code:
    RewriteEngine on
RewriteCond %{REQUEST_URI} ^/.well-known/acme-challenge [NC]
RewriteRule .* - [L]
    either in the site's root .htaccess file or ISPConfig's Apache directives field, before any specific Rewrite or Proxy/ReverseProxy rules, seems to do the trick.
     
    Etcetera, Aug 18, 2018
    #2
    ahrasis likes this.
  3. SamTzu

    SamTzu Active Member

    Tried this but it did not allow Certbot to renew SSL cert.
    Code:
    RewriteEngine on
RewriteCond %{REQUEST_URI} ^/.well-known/acme-challenge [NC]
RewriteRule .* - [L]
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /otherservice !
ProxyPass / http://127.0.0.1:8069/
ProxyPassReverse / http://127.0.0.1:8069/
     
    SamTzu, Apr 3, 2020
    #3
  4. Etcetera

    Etcetera Member HowtoForge Supporter

    Seems I forgot about this thread that I had opened, should have followed up on it earlier... This is what, in the meantime, I've found to work for me, I got completely rid of the additional rewrite-rules:
    Code:
    <Proxy *>
Order deny,allow
Allow from all
</Proxy>
 
SSLProxyEngine On
ProxyRequests On
ProxyPreserveHost On
ProxyPass /.well-known/ !
ProxyPass /stats !
ProxyPass / http://127.0.0.1:4567/
ProxyPassReverse / http://127.0.0.1:4567/
     
    Etcetera, Apr 3, 2020
    #4
    ahrasis and till like this.

Share This Page