Letsencrypt client behind a reverse Nginx proxy

nginx ssl lets-encrypt

So the general setup is this:

I have a server with a public Ip address (I will call this the frontend machine) that runs Nginx and serves a few webpages that are secured with Letsencrypt certificates.

Now we want added a new machine (Let's call this the backend machine) running a another webapp and several other applications that need to be secured by SLL certificates from Letsencrypt. The webapp is served by Apache and is on it's own subdomain behind a reverse proxy on the frontend machine.

Normally I would just terminate the SSL on the frontend machine and talk HTTP with the backend machine, but in this case that is not possible. The backend machine needs to be the one that has the SSL certificates for the subdomain. So I thought I would just set up a reverse proxy that does not add any headers to forward all requests to that domain to the backend server. My Nginx config on the frontend machine looks like this:

#sub.domain.com
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name sub.domain.com;

    error_log            /var/log/nginx/subdomain.error.log;

    location / {
        # Fix the “It appears that your reverse proxy set up is broken" error.
        proxy_pass          https://192.168.11.3;
        proxy_ssl_verify       off;
        proxy_read_timeout  90;
        proxy_redirect      https://192.168.11.3 https://sub.domain.com;
    }

}

server {
   listen 80;
   listen [::]:80;
   server_name sub.domain.com;

    location / {
        proxy_pass          http://192.168.11.3;
        proxy_read_timeout  90;
        proxy_redirect      http://192.168.11.3 http://sub.domain.com;
    }
}

Then I tried requesting a certificate from Letsencrypt on the backend machine with the "temporary webserver" function from letsencrypt, but it gives the following error:

   Domain: sub.domain.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
   Requested
   {LONG TOKEN REMOVED}.acme.invalid
   from XXX.XXX.XXX.XXX:443. Received 2 certificate(s), first
   certificate had names "othersub.domain.com"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

So my question is: how can I make this work? My thoughts were that the frontend reverse proxy should be able to forward the request that letsencrypt makes to the webserver to verify the client, but it doesnt seem to work. Any help is appreciated!


You will still need to terminate the SSL request at the frontend nginx machine, by installing the certificate for the sub.domain.com on the frontend machine. Just like you'd do if you were to speak http in a reverse proxy scenario. The only difference in this case is that you'll need to have a valid certificate agreement between the backend and frontend machines too.

Related

Add private GitHub repository "the right way" in dockerfile (w composer.json)
Dynamic number of supervisord controlled processes
how to use firewalld in stateful mode
Hosting 2 webserver machines with iis10
How to list all OpenSSH supported authentication methods?
How to configure a second IP address (to bind it to a VBoxHeadless virtual machine then)?
One user for all databases or different user for different databases?
What's the most accurate term for phrases such as "storm in a teacup" and "making mountains out of molehills"?
What does the grave accent mark on words mean?
What are the differences between "manual", "guide" and "instruction"?
What are wrong with this phrase?
"Please note" vs. "please notice" [closed]