Let's Encrypt certificate renewal fails for proxied sites

Discussion in 'Installation/Configuration' started by Etcetera, Jul 29, 2018.

  1. Etcetera

    Etcetera New Member HowtoForge Supporter

    Let's Encrypt certificate renewal fails for proxied sites – which of course would have been expected behaviour, would I have thought about it earlier.

    On one of my ISPConfig-managed servers I have three websites which are served by separate services on different ports, for which Apache acts as a proxy + reverse proxy, adding SSL and serving the content via port 443, using a Let's Encrypt certificate. When I had to temporarily disable the proxying configuration snippet in ISPConfig in order to enable SSL and create the certificate in the first place, I should have suspected that automatic renewal might encounter a problem...

    My question now is, might there perhaps be any way around manually renewing the certificates every three months, with disabling proxying before and re-enabling it after the act?

    I fear that there will, come time, come more services I'd like to serve in a similar way...

    Cheers,
    Etc
     
  2. ahrasis

    ahrasis Well-Known Member

    You can try to use dns to issue your letsencrypt certs depending on your dns server type.

    I wrote a tip and trick for using certbot via cloudflare dns (and bind dns) server here.

    I am writing the same for ISPConfig but it would take sometimes before I could finish it properly.
     
  3. Etcetera

    Etcetera New Member HowtoForge Supporter

    I haven't yet fully grasped what's happening in the ISPConfig-generated .vhost files, but although I find this twice there (once for :80, once for :443):
    Code:
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
    RewriteRule ^ - [END]
    I find that adding this:
    Code:
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^/.well-known/acme-challenge [NC]
    RewriteRule .* - [L]
    either in the site's root .htaccess file or ISPConfig's Apache directives field, before any specific Rewrite or Proxy/ReverseProxy rules, seems to do the trick.
     
    ahrasis likes this.

Share This Page