I had some trouble with my apache proxy pass configuration when renew my ssl certificates. I’am describing my way out.

My Setup

I’am running a few services on my server and forward their ports via proxy pass to a subdomain. Additionally disallow connections via http. A example sites-available configuration of a service swould be:

<VirtualHost *:443>
    ServerName sub.example.com

    ProxyPreserveHost On
    ProxyRequests off
    ProxyPass / http://localhost:1337/
    ProxyPassReverse / http://localhost:1337/

    # auto generated by letsencrypt
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/sub.example.com-0001/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/sub.example.com-0001/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/sub.example.com-0001/chain.pem

# this section prevents connections via http
<VirtualHost *:80>
    Servername sub.example.com
    RewriteEngine on
    RewriteCond %{SERVER_PORT} !=443
    RewriteRule ^(.*)$ https://sub.example.com/$1 [R=301,L]

The Problem

Well, now i wanted to renew my certificates, but got some authorization error:

 - The following errors were reported by the server:

   Domain: sub.example.com
   Type:   unauthorized
   Detail: Correct zName not found for TLS SNI challenge. Found
   'foo.example.com, example.com, www.example.com'

Googled a bit and came across the solution that the service must be reachable over the subdomain through port 443 and 80, but i disabled that in the lower section of my sites config file.

So i deleted that lower section and the renewal workd fine with: ./letsencrypt-auto --apache -d sub.example.com.