Skip to content

Instantly share code, notes, and snippets.

@Juul

Juul/certbot_reverse_proxy_guide.md

Created May 29, 2019 01:04
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save Juul/4633cce02e6c68960a510bf75a286494 to your computer and use it in GitHub Desktop.
Save Juul/4633cce02e6c68960a510bf75a286494 to your computer and use it in GitHub Desktop.
Download ZIP
How to use Let's Encrypt / certbot with a reverse proxy
Raw
certbot_reverse_proxy_guide.md

apache config

The secret sauce is:

<Location /.well-known>
    ProxyPass !
</Location>

Which disables the reverse proxy for the /.well-known URL which is where certbot puts the info used for proving domain ownership during initial cert creation and renewal.

Here's a full example config. To get the initial cert created simply swap *:80 and *:443 and comment out all the SSL* lines to make apache actually start without SSL, then once the cert is generated, edit it back the way it was.

<VirtualHost *:80>
        ServerAdmin     me@my.domain
        ServerName      my.domain
        ServerAlias     www.my.domain
        Redirect / https://my.domain/
</VirtualHost>

<VirtualHost *:443>
        ServerAdmin     info@my.domain
        ServerName      my.domain
        ServerAlias     www.my.domain
        DocumentRoot    /var/www/my.domain/public
        ErrorLog        /var/www/my.domain/logs/error.log
        CustomLog       /var/www/my.domain/logs/access.log combined
        LogLevel warn

        ProxyPass / http://127.0.0.1:3000/
        ProxyPassReverse / http://127.0.0.1:3000/

        <Location /.well-known>
                ProxyPass !
        </Location>

        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/my.domain/public>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride FileInfo
                Order allow,deny
                allow from all
        </Directory>

        SSLEngine on
        SSLProtocol all -SSLv2 -SSLv3
        SSLCipherSuite ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!LOW:!aNULL:!eNULL
        SSLCertificateFile /etc/letsencrypt/live/my.domain/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/my.domain/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/my.domain/fullchain.pem
</VirtualHost>

command to set up auto-renewing ssl cert

certbot certonly --webroot -w /var/www/secrets.peoplesopen.net/public -d secrets.peoplesopen.net
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment