ACME behind NAT

michabbs

Active Member
May 5, 2020
134
19
38
My PVE node is inside LAN. I want to use ACME:
1. If I redirect port 80 on firewall - it works!
2. How to configure apache on dedicated host to proxy acme requests to PVE inside LAN?
 
Last edited:
I tried this:

Code:
<VirtualHost *:80>
    ServerName pve.host.my.domain
    ProxyPass        /    http://pve.host.my.domain/
    ProxyPassReverse /    http://pve.host.my.domain/
    <Location "/.well-known/acme-challenge/">
        Allow from All
    </Location>
</VirtualHost>

It does not work. :-(
Certificate request ends with timeout.

HOWEVER EXACTLY IDENTICAL CONFIG WORKS WITH PBS!
BPS inside LAN gets certificate without problems! Why the above does not work with PVE? What's the difference?
 
Is your DNS provider listed in the available plugins for the DNS challenge? Validating the domain via a DNS challenge would be a bit easier in this situation :)
 
Is your DNS provider listed in the available plugins for the DNS challenge? Validating the domain via a DNS challenge would be a bit easier in this situation :)
Yes, and it is what I do now, but... this leaves door open for attack. The dns access key allows to ANY change in dns configuration. So compromised PVE node could lead to total disaster of everything in the domain. On the other hand acme http authorization leaves dns safe! :-)
 
Yes, and it is what I do now, but... this leaves door open for attack. The dns access key allows to ANY change in dns configuration. So compromised PVE node could lead to total disaster of everything in the domain. On the other hand acme http authorization leaves dns safe! :)
you can also use the cname alias support and handle ACME dns requests in a separate DNS server/zone that can cause no harm (other than ACME validation, but the same is true of the PVE host itself if it is reachable over a public domain ;) )
 
you can also use the cname alias support and handle ACME dns requests in a separate DNS server/zone that can cause no harm (other than ACME validation, but the same is true of the PVE host itself if it is reachable over a public domain ;) )
Yes, but the point is to use http. :)
I am really curious why it works perfect with PBS, and not at all with PVE?
 
that I don't know - you could check with tcpdump whether any requests show up at relevant places (also, the full output of your attempt might shed some light).
 
Success!

Use this on your router/DMZ web server/redirector/proxy:

Code:
<VirtualHost *:80>
    ServerName pve.node.dns.name
    ErrorLog ${APACHE_LOG_DIR}/certbot_proxy-error.log
    CustomLog ${APACHE_LOG_DIR}/certbot_proxy-access.log vhost_combined

    SetEnv proxy-nokeepalive 1
    ProxyPass        /.well-known/acme-challenge/    http://pve.node.private.ip/.well-known/acme-challenge/
    ProxyPassReverse /.well-known/acme-challenge/    http://pve.node.private.ip/.well-known/acme-challenge/

    <Location "/">
        AllowOverride None
        Order Deny,Allow
        Deny from All
    </Location>
    <Location "/.well-known/acme-challenge/">
        Allow from All
    </Location>
</VirtualHost>

You might also need a2enmod proxy_http. :-)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!