Letsencrypt client behind a reverse Nginx proxy
So the general setup is this:
I have a server with a public Ip address (I will call this the frontend machine) that runs Nginx and serves a few webpages that are secured with Letsencrypt certificates.
Now we want added a new machine (Let's call this the backend machine) running a another webapp and several other applications that need to be secured by SLL certificates from Letsencrypt. The webapp is served by Apache and is on it's own subdomain behind a reverse proxy on the frontend machine.
Normally I would just terminate the SSL on the frontend machine and talk HTTP with the backend machine, but in this case that is not possible. The backend machine needs to be the one that has the SSL certificates for the subdomain. So I thought I would just set up a reverse proxy that does not add any headers to forward all requests to that domain to the backend server. My Nginx config on the frontend machine looks like this:
#sub.domain.com
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name sub.domain.com;
error_log /var/log/nginx/subdomain.error.log;
location / {
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass https://192.168.11.3;
proxy_ssl_verify off;
proxy_read_timeout 90;
proxy_redirect https://192.168.11.3 https://sub.domain.com;
}
}
server {
listen 80;
listen [::]:80;
server_name sub.domain.com;
location / {
proxy_pass http://192.168.11.3;
proxy_read_timeout 90;
proxy_redirect http://192.168.11.3 http://sub.domain.com;
}
}
Then I tried requesting a certificate from Letsencrypt on the backend machine with the "temporary webserver" function from letsencrypt, but it gives the following error:
Domain: sub.domain.com
Type: unauthorized
Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
Requested
{LONG TOKEN REMOVED}.acme.invalid
from XXX.XXX.XXX.XXX:443. Received 2 certificate(s), first
certificate had names "othersub.domain.com"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
So my question is: how can I make this work? My thoughts were that the frontend reverse proxy should be able to forward the request that letsencrypt makes to the webserver to verify the client, but it doesnt seem to work. Any help is appreciated!
You will still need to terminate the SSL request at the frontend nginx machine, by installing the certificate for the sub.domain.com on the frontend machine. Just like you'd do if you were to speak http in a reverse proxy scenario. The only difference in this case is that you'll need to have a valid certificate agreement between the backend and frontend machines too.