I had some trouble with my apache proxy pass configuration when renew my ssl certificates. I’am describing my way out.
My Setup
I’am running a few services on my server and forward their ports
via proxy pass to a subdomain. Additionally disallow connections
via http. A example sites-available configuration of a service
swould be:
<VirtualHost *:443>
ServerName sub.example.com
ProxyPreserveHost On
ProxyRequests off
ProxyPass / http://localhost:1337/
ProxyPassReverse / http://localhost:1337/
# auto generated by letsencrypt
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/sub.example.com-0001/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sub.example.com-0001/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/sub.example.com-0001/chain.pem
</VirtualHost>
# this section prevents connections via http
<VirtualHost *:80>
Servername sub.example.com
RewriteEngine on
RewriteCond %{SERVER_PORT} !=443
RewriteRule ^(.*)$ https://sub.example.com/$1 [R=301,L]
</VirtualHost>
The Problem
Well, now i wanted to renew my certificates, but got some authorization error:
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: sub.example.com
Type: unauthorized
Detail: Correct zName not found for TLS SNI challenge. Found
'foo.example.com, example.com, www.example.com'
Googled a bit and came across the solution that the service must be reachable over the subdomain through port 443 and 80, but i disabled that in the lower section of my sites config file.
So i deleted that lower section and the renewal workd fine with:
./letsencrypt-auto --apache -d sub.example.com.