W dniu 06.12.2017 o 03:07, Alan pisze:
I can't just forward this as the system where we are trying Pound on
requests Let's Encrypt certificate at early stages during creation of
virtual server on port 80 and naturally doesn't find anything there,
because Apache listens to port 8080. And in our case it is possible to
create entries in in the Pound configuration file and restart it only
after Let's Encrypt certificate is requested. And, unfortunately,
Let's Encrypt always looks for verification file at port 80 like, for
example:
http://sub.mydomain.com/.well-known/acme-challenge/h5_NnrfdAhQoHdNUsA36cFsnM7E469FM-EZwltWFzqw
It is not possible for us to make Let's Encrypt to look for verification file at
http://sub.mydomain.com:8080/.well-known/acme-challenge/h5_NnrfdAhQoHdNUsA36cFsnM7E469FM-EZwltWFzqw
So it would be wonderful if Pound allowed just passing requests to
.well-known directly to Apache. At least that's how it's done on nginx
according to the accepted answers on
https://serverfault.com/questions/768509/lets-encrypt-with-an-nginx-reverse-proxy
or
https://serverfault.com/questions/886583/how-to-configure-pound-proxy-to-pass-requests-to-well-known-directory.
If you already have apache who can serve static files, and don't want to
use bundled standalone http
server in certbot/letsencrypt - just forward rules to
/.well-known/acme-challenge/ into your apache port.
For example (if you have apache on port 8080).
Service
URL "/.well-known/acme-challenge/"
IgnoreCase 1
BackEnd
Address 127.0.0.1
Port 8080
End
End
After receiving certificate - you need of course to replate it in pound
configuration. I have it just in script,
which after successfull receive merge key, intermediate certificate and
certificate into one file and replace
with that file certificate in pound.
Andrzej
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
