[SOLVED] Apache Reverse Proxy Setup Virtual Host

Hi folks,

My Let’s Encrypt certificate has worked just fine since I first deployed the box almost a year ago, but suddenly I am getting a privacy error when trying to connect from external networks. This error is consistent across multiple networks and browsers.

On my home network the page deploys fine and boasts a valid certificate, and when I open the Let’s Encrypt app it says the cert is valid, but if I click “Re-obtain” it throws an error saying it failed a challenge.

I took a peek in the log it mentioned at /var/log/letsencrypt/letsencrypt.log but didn’t notice any giveaway clues–a few lines confirming a challenge failed and suggesting I re-check the domain name for accuracy, but the domain referenced is accurate. The IP it lists is also correct.

I checked on the site that hosts my domain (duckdns.org) and everything looks good. I have a second website hosted on a different device, also an Nginx/Let’s Encrypt setup with a duckdns.org domain, and that website is working fine.

Does anyone have experience troubleshooting these certificate errors?

Information
Debian 11 - Bullseye
FreedomBox 22.13

Configuration
Behind a router in the DMZ

Hardware
Olimex A20-OLinuXino-LIME2 board

Is that other nginx server located behind the same router? If so, try shutting it down temporarily and try again plinth’s Let’s Encrypt.

Hi @nbenedek, thanks for the tip–unfortunately, I am still getting the same “Failed to obtain certificate” error. :confused:

The second server is in a Docker container, so I logged into that box and pulled down the container and tried the certificate again. It failed, so I gave the FreedomBox a reboot (:man_shrugging:), but unfortunately that didn’t improve the situation.

What’s odd is the certificate claims to be valid on the internal FBX page, and also the browser recognizes the cert as valid when I access the URL on my local network. :thinking:

I finally figured out why this is happening. When I set up that second server, I created a port forwarding rule in my router for 80 and 443. I had not done this for the Freedombox because it is in the DMZ. Unfortunately this forwarding rule is pulling the certificate traffic to the other device.

Since it is not possible to forward 80 and 443 traffic to both devices, I need to figure out how to get my Freedombox to use a different port for this service. Does anyone have any experience setting up a configuration like that? I’m honestly not even sure where to start.

I was able to get this figured out by setting up a proxy for the web server running on the other box. It took a little reading and some trial and error, but now both web servers are working correctly and are externally accessible.

  • Deleted the port forwarding rules on my router. Now I have FBX in the DMZ, that’s it.
  • Added the domain of my second web service (on the other box) as a domain on the FreedomBox, just to get the Let’s Encrypt service to pick it up. Once the certificate was squared away, I deleted the domain out off of the FreedomBox list.
  • Configured a proxy service in Apache to redirect traffic for the other domain to the other box.

The last part took some hacking around and reading through documentation and forum posts, but I finally got it working. It gets set up in /etc/apache2/sites-enabled/000-default.conf. Mine wound up looking like this (added below the preexisting configuration already in the file):

<VirtualHost *:>
        ProxyPreserveHost On
        ProxyPass / http://192.168.0.6/
        ProxyPassReverse / http://192.168.0.6/
        ServerName YourDomain.com
    </VirtualHost>


#NameVirtualHost *:443
<VirtualHost *:443>
        ServerName YourDomain.com
        SSLEngine On

        # Set the path to SSL certificate
        SSLCertificateKeyFile /etc/letsencrypt/live/YourDomain.com/privkey.pem
        SSLCertificateFile /etc/letsencrypt/live/YourDomain.com/fullchain.pem

        # Global SSL Headers
        <Location "/">
                RequestHeader set X-Forwarded-Proto https
                RequestHeader set X-Forwarded-Ssl on
                RequestHeader set X-Url-Scheme https
        </Location>

        ProxyPreserveHost On
        ProxyPass / http://192.168.0.6:6006/
        ProxyPassReverse / http://192.168.0.6:6006/

    </VirtualHost>

The port number used for the SSL proxy does not need to be 6006, that is just a made up port. It does need to be a port that is not in use for something else (80 and 443 did not work), and the custom port needs to be allowed in the firewall (I just added in a custom service in Cockpit and it worked fine).

I edited the title of the thread because it seemed unlikely this rabbit hole I went down will be useful for people searching for a fix for Let’s Encrypt not working.

2 Likes

Sorry, I did not notice your post before.

Your description seems interesting, so I will further look.

Personally, I have the freedombox and another machine Debian machine (running a seafile server) that both use ports 80 and 443 and want to use and renew Let’s encrypt certificates. My solution is to run sniproxy, it receives all incoming traffic from ports 80 and 443 and redirects it to the right machine based on the host name.

The reason I chose this solution is because it is very easy to configure (I’ll post that when I am back home) and I don’t have to touch the web server configuration at all. I initially ran it on yet another machine but found that it also works fine on the same machine that has the seafile server.