Topic: LetsEncrypt and ProxyPassVirtualHost solution

[newreal]

Hi,

I often install an sme servers as front end and some other server are installed in the lan (owncloud, syncthing, backuppc ...)

I want to have dedicated sub domains for each services and a dedicated ssl cert for each subdomains.

for example the owncloud server is running on 192.168.90.95. I configure a subdomain 'docs' and ask the sme server to ProxyPass requests for docs.exemple.be to http://192.168.90.95/

Code: [Select]

db domains setprop docs.exemple.be letsencryptSSLcert enabled ProxyPassTarget http://192.168.90.95/ TemplatePath ProxyPassVirtualHosts Description "owncloud reverse proxy"
Unfortunately, when requesting the ssl with

Code: [Select]

dehydrated -c -x the request for /.well-known/acme-challenge/XXXX is sent to the owncloud server.

What need to be done, is to explain to the sme to not proxy the requests for /.well-known/acme-challenge/ to the lan server.

To solve that, I've made two templates fragments:
 /etc/e-smith/templates/etc/httpd/conf/httpd.conf/ProxyPassVirtualHosts/04well-known-challenge

Code: [Select]

#Alias for letsencrypt
Alias /.well-known/acme-challenge/ /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/
#
/etc/e-smith/templates/etc/httpd/conf/httpd.conf/ProxyPassVirtualHosts/27Well-known-challenge

Code: [Select]

# Alias exception for  letsencrypt
ProxyPassMatch ^/.well-known/acme-challenge/ !
#[/codecode]

Now it works.

[Stefano]

Thank you for you input and feedback
Would you mind to ask for a wiki access and amend it?
Thank you

[newreal]

Request sent.

[ReetP]

Is that on a manual install? I think the contrib should do the alias at least? Look for an acme challenge template.

I also have some notes on proxying with letsencrypt for Rocketchat. Will take a look tomorrow and post some configs

Rgds
Johm

[newreal]

Johm

Is that on a manual install? I think the contrib should do the alias at least? Look for an acme challenge template.

I used

Code: [Select]

yum install smeserver-letsencrypt --enablerepo=smecontribs
Then I had to add my two fragments to make it works on a reverse proxy config.

Regards
Newreal

[ReetP]

Ahhh OK, I get it now. I had to do something similar on RocketChat

On a stock Letsencrypt install you will see this:

Code: [Select]

cat /etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/40ACME
    # Alias for letsencrypt
    Alias /.well-known/acme-challenge/ /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/

But that doesn't work on a Proxy Virtual Host.

On RocketChat to make sure I didn't interfere with the stock Proxy templates (I didn't want to break anything !!!)  I created a completely new directory and files just for the particular Proxy host e.g.

Code: [Select]

db domains setprop docs.exemple.be letsencryptSSLcert enabled ProxyPassTarget http://192.168.90.95/ TemplatePath ProxyPassVirtualHostsOwnCloud Description "owncloud reverse proxy"
Then you can make your own directory like this

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/ProxyPassVirtualHostsOwnCloud
Then copy over any templates from the existing ProxyPassVirtualHosts directory that you require and add your own.

That way it keeps it separate from anything else.

It might be an idea to get the Letsencrypt contrib to add the 40ACME file and ProxyPassMatch line into ProxyPassVirtualsHopsts by default. You should probably open a bug on that.

HTH

B. Rgds
John