Configure Reverse Proxy Apache (Debian 8) with Let's Encrypt Automatically Issue

Since often, there are many sites in the organization, and there are few IP addresses, you need to have a solution with Reverse Proxy. For my purposes, Microsoft TMG has always acted before, but it has its drawbacks, as well as its advantages. One of the main disadvantages is that you need to upload certificates of the published resource to TMG, which is rather inconvenient with Let's Encrypt, because certificates are updated every 90 days.

The solution was found: to raise Reverse Proxy on Apache and to make Let's Encrypt automatically issue certificates. And then calmly publish it on the Firewall, while the ports will be redirected from http to https.

We take as a basis that we have pure Debian GNU / Linux 8 (jessie). More details under the cut.

Well, let's go.

aptitude install -y build-essential
aptitude install -y libapache2-mod-proxy-html libxml2-dev
aptitude install -y apache2

Then activate the following modules:

a2enmod proxy
a2enmod proxy_http
a2enmod proxy_ajp
a2enmod rewrite
a2enmod deflate
a2enmod headers
a2enmod proxy_balancer
a2enmod proxy_html
a2enmod proxy_ftp
a2enmod proxy_connect
a2enmod ssl

and restart Apache:

service apache2 restart

Here the first failure awaits us, Apach is missing the mod_xml2enc module for proper operation, BUT! this module does not work in Jessie, we need to make the following commands sequentially:

aptitude install apache2-prefork-dev libxml2 libxml2-dev apache2-dev
mkdir ~/modbuild/ && cd ~/modbuild/
apxs2 -aic -I/usr/include/libxml2 ./mod_xml2enc.c
cd ~
rm -rfd ~/modbuild/
service apache2 restart

After which, everything is fine with us, the module is worth it. We go further)

Since we want to publish an HTTPS site, until we install Let's Encrypt, we need to make a self-signed certificate for our site, enter the command:

mkdir /etc/apache2/ssl
cd /etc/apache2/ssl
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt

We need to create a configuration file and name it with a friendly name:

touch /etc/apache2/sites-available/sambi4.conf

And give the file something like this:

Redirect permanent / #отвечает за перенаправление на https

SSLEngine On
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
ProxyVia full
SSLCertificateFile /etc/apache2/ssl/server.crt #указываем путь к нашему самоподписанному сертификату
SSLCertificateKeyFile /etc/apache2/ssl/server.key #указываем путь к нашему самоподписанному ключу сертификата
ProxyHTMLInterp On
ProxyHTMLExtended On

Order deny,allow
Allow from all

ProxyPass / #IP адрес публикуемого ресурса.
ProxyPassReverse / #IP адрес публикуемого ресурса.
ServerAdmin #считается хорошим тоном указывать email админа
DocumentRoot "/var/www/html" #эта строка нужна для того чтобы апач запустился, без нее он не сможет опубликовать ваш ресурс.

After the completion of the creation, do not forget to include our site:

a2ensite /etc/apache2/sites-available/sambi4.conf

restart Apache:

service apache2 restart

After all the procedures, we have configured Reverse Proxy on Apache2, now we can start setting up Let's Encrypt:

Of all the free certificates, only Let's Encrypt is still alive, but its peculiarity is that the certificate is issued for a period of 3 months.

We need to put a certificate, and make an automatic issue at the end of the certification period.

echo 'deb jessie-backports main' | tee /etc/apt/sources.list.d/backports.list


aptitude update

Well, now let's set Let's Encrypt:

aptitude install -y python-certbot-apache -t jessie-backports

We are waiting for the installation process, and try to issue a certificate:

certbot --apache

And here failure awaits us:
ERROR: letsencrypt_apache.configurator: No vhost exists with servername or alias of: No vhost was selected. Please specify servernames in the Apache config

This is due to the fact that the repositories are still an old version (at the time of writing 0.10.2), in which errors are observed. Namely errors in python scripts. The solution is as usual simple:
Download the latest version of certbot:

git clone

After which, we go along the path:

 cd /usr/lib/python2.7/dist-packages

We delete the folders (and better do a backup):

And copy the files from the new release:

cp /root/certbot/certbot /usr/lib/python2.7/dist-packages/
cp /root/certbot/acme/acme/ /usr/lib/python2.7/dist-packages/
cp /root/certbot/certbot-apache/certbot_apache/ /usr/lib/python2.7/dist-packages/

Now you can calmly start the process of issuing a certificate:

certbot --apache

We answer questions and all!

Congratulations, we issued a certificate, now we need to add a certificate auto-renewal script, because Let's Encrypt issues certificates for a period of only 90 days (we remember this).

Everything is simple. We need to add the line in cron:

30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log

Those. we type:

crontab -e

And add our line (be sure to go to the next term, otherwise it will not be saved)

And all, repeat an infinite number of times with your other resources.

Good luck, admins!

Also popular now: