certbot on site tunneled to internal network HTTP site

I have a cloud server running Ubuntu 20.04, a configured domain to the cloud server, and a server in my local network serving an HTTP website. I have successfully tunneled my local network server HTTP website to my cloud server - accessible internally on the cloud server via port 8080 (8080 blocked externally via ufw). I have set up apache2 to allow HTTP access to the tunneled site via an apache /etc/apache2/sites-available/ config file. I allowed HTTPS for the cloud server via ufw, and want to get certbot to generate a valid HTTPS certificate and configuration for the domain, which is tunneled to the internal network server.

Unfortunately, every time I try to setup certbot for an HTTPS certificate, it wants me to have the /.well-known/acme-challenge/******* file on the server (which it generates), and it fails; it cannot create the page on my local network server. I only have port 80 forwarded to the cloud server - not the filesystem. I found a manual way to run certbot, but it still failed: certbot certonly --manual -d example.com.

I was able to access the site via port 80, but I don't have anything set up to successfully view the page on the HTTPS port - which I think is why certbot is failing.

I'm not sure an optimal way to correct this. I just went to try something else, but I got a "There were too many requests of a given time :: Error creating new order :: too many failed authorizations recently" - then a link to letsencrypt rate-limits. So, it looks like I've got an hour before I can try again - and I'd like to make sure I do it right this next time. I have a few more domains to set up this way, so I would like to be efficient. I can imagine maybe mounting the server filesystem via sshfs temporarily for certbot, but I'd like a quicker method...

Any tips or suggestions, or glaring issues with my configuration?


Solution 1:

There are two options here:

  1. Place ACME challenge file on your local server in /.well-known/acme-challenge directory.
  • Run certbot certonly --manual -d example.com command in your cloud server to get the challenge file name and content. Do not continue with certbot.
  • Create the file in your local server at <webroot>/.well-known/acme-challenge directory with the contents.
  • Verify that you can load http://example.com/.well-known/acme-challenge from the cloud server.
  • Continue in certbot by pressing enter.

After these steps, LE servers should be able to verify your challenge, and certbot will place the certificate files under /etc/letsencrypt/live/example.com directory.

Downside of this method is that the automatic renewal feature does not work, because certbot running on cloud server cannot update the challenge file in your local server.

  1. Place ACME challenge file on your cloud server and configure special directory in virtual host.

In this case, you need to change the cloud server virtualhost configuration so that /.well-known/acme-challenge directory is served from cloud server's file system. Unfortunately I cannot give detailed steps for this.

After this setup is done, certbot's automatic verification feature should work.

Letsencrypt does not need to communicate with HTTPS at any point. In fact, since there is no certificate yet, that communication is impossible.