Amended apache.conf file and letsencrypt


#1

I have a domain running quite happily using a letsencrypt certificate. I have just amended the .conf file to make is a reverse proxy. The lines I have added are as follows:

            ProxyPass /api/socket ws://localhost:8082/api/socket
            ProxyPassReverse /api/socket ws://localhost:8082/api/socket

            ProxyPass / http://localhost:8082/
            ProxyPassReverse / http://localhost:8082/

This works a treat, and is exactly what I hoped for.

What I am worried about is the bit that says


Feel free to make changes to this file, and thereafter it will not be
automatically updated if the template, or SSL configuration changes.

Am I right in thinking that letsencrypt will no longer update itself?
If so, what is the fix? I don’t want it to stop working when the certificate expires.


#2

Hi Iain

Speculation only (sorry!)… As the set is hardcoded;

SSLCertificateFile      /srv/my-brilliant-site.com/config/ssl/sets/7/ssl.combined
SSLCertificateChainFile /srv/my-brilliant-site.com/config/ssl/sets/7/ssl.bundle

… it looks like it will break when letsencrypt rolls over. I’m wondering if you can stay current via the symlink …

SSLCertificateFile      /srv/my-brilliant-site.com/config/ssl/current/ssl.combined
SSLCertificateChainFile /srv/my-brilliant-site.com/config/ssl/current/ssl.bundle

I suspect apache2 will need to reload when the ssl target moves but maybe that’s going to happen anyway when the cert changes (regardless of whether the site’s apache2 .conf is updated).

Going wilder via the apache2 manual…

So, adding an IncludeOptional directive to the ssl.template.erb template might allow symbiosis to keep the main my-brilliant-site.conf up to date while the bespokery is external.


#3

Thanks for those suggestions.

Well, I’ve tried the current address instead but it didn’t work (at first I thought it had). I am not confident that the certificate updates will work with a reverse proxy in between.

I’ll have to give a bit of thought to the IncludeOptional directive idea. But first I must go shopping for groceries!


#4

After far too much going round and round in circles, I seem to have it all working. Well, so far I have!

I managed to get it to only proxy a subdirectory, to letsencrypt can do its stuff at renewal time.

I have manage to get it to work with …/current/… in the certificate paths (wonder why it wouldn’t work before?)

So it may not matter too much that the autoupdate of the config file won’t happen.

I managed to get the .erb file to insert the IncludeOptional directive OK, but I seem to have failed to make that actually feed anything useful into the Apache configuration. However, that may not matter now it is working with a “fixed” ssl path.

Which leaves me wondering why …/current… isn’t the default certificate path in any case?


#5

@iainharrison
sorry to open an old post… are using this for traccar?
I’ve just setup traccar & am now trying to do this too. I’ve added the lines you mention but it seems unable to use https.
the conf file also has a couple of lines in that suggest it will ignore the proxy for the certificate renewal…
#
# Disable any restrictions or rewrites to /.well-known/acme-challenge
# This ensures Let’s Encrypt can validate domain ownership.
#
<Directory /srv/domain.co.uk/public/htdocs/.well-known/acme-challenge/ >
Require all granted

RewriteEngine off


#6

I was not happy with the default setup because any changes to the sitename.co.uk.conf stopped symbiosis updating the file, so I decided to add a default snippet:

IncludeOptional /srv/sitename.co.uk/config/apache-*.conf
# the config/apache-whatever.conf file is where extra snippets go
#
and in that directory, there is a file called apache-traccar.conf which contains

#added traccar bits

            ProxyRequests off

            ProxyPass /track/api/socket ws://localhost:8082/api/socket
            ProxyPassReverse /track/api/socket ws://localhost:8082/api/socket

            ProxyPass /track/ http://localhost:8082/
            ProxyPassReverse /track/ http://localhost:8082/

            ProxyPassReverseCookiePath / /track/
            Redirect permanent /track /track/

#end added traccar bits

It works for me!


#7

Meant to say that I added the snippet to the template, not to the conf file, so it is automatically included in all the .conf files generated.