How to use Let’s Encrypt behind proxy

Having problems using Let’s Encrypt behind proxy? In this article we will walk you through how to solve the problem.

Let’s Encrypt is a non-profit certificate authority which’ automated tools do everything on behalf of the user.

With that said, if your website is running behind a proxy server in Docker Swarm, you will most likely encounter a problem when trying to use Let’s Encrypt.

There are many ways to solve the problem. Probably the most popular one is using a Docker container.

In this article we will introduce Manual DNS mode which is a more of a hardware way of solving the problem.

Create a virtual machine

First you need to create a Docker virtual machine.

Make sure the certificate folder is mounted on the host device, for example in /crt folder, and also inside the Docker container.

volumes:
- /HostCrtFolder:/crt

This is to make sure the directory won’t disappear when the Docker container is restarted.

Generate the certificate with acme

Once the architecture is all set, generate the certificate with acme inside Docker container.

To enter Docker Container, run docker exec -it /bin/bash (CONTAINER ID)

To enter /crt folder run cd /crt

To download script run git clone https://github.com/acmesh-official/acme.sh

Run acme.sh script in /crt folder:

./acme.sh --issue -d yoururl.com -d *.yoururl.com --dns –yes-I-know-dns-manual-mode-enough-go-ahead-please

Add _acme challenge text line to name servers

Next you need to add generated _acme-challenge text line of acme.sh to name servers.

For example for the BIND9 nameserver, add the following line to the website BIND entry:

acme-challenge TXT IN "txt_verification_string"

Remember to update the serial number. Copy acme-challenge to other name servers.

After updating the nameserver entries, remember to wait 2–3 minutes to let the new entries take effect. If acme.sh is rerun with old DNS entries you will have to generate a new encrypting key and start again.

Open HTTP port

On traffic server, open HTTP port to address _acme-challenge.yoururl.com so that acme can verify the challenge. Note that HTTPS will not work.

If the certificate is re-generated under a maintenance time, the easiest way to open HTTP ports is just to just disable all HTTP to HTTPS entries. For example, comment out lines like these:

http://yoururl.com
https://yoururl.com

Once the acme sertificate has been approved, you have to renew it once more to make the new certificate become valid.

Run ./acme.sh --renew -d url.com -d *.url.com –yes-I-know-dns-manual-mode-enough-go-ahead-please

Put the files on the routing server

After this the certificate file .cer and the key file .key are generated on the host server.

It’s important that these files are be put on the server that routes the site, for example on traffic server. They can’t be directly on host server.

At PHZ Full Stack we use a standard ssh_multiconf file. Copy the .cer and .key files to the folder where traffic server is looking for certificates and add the certificate entries to the multiconfig file.

Optional: Restore settings

If you want, you can change the name server settings back to excepting only HTTPS connection. You can also leave the HTTP connection open to the acme-challenge.

When the new certificate is generating, remember to update the text field in the name server.

As always, please check out our open positions at: phz.fi/ura