1

I use Pound proxy in front of Apache, so Pound listens to port 80 and Apache - to port 8888, and I am now trying to figure out how to configure Pound to pass requests to /home/username/public_html/.well-known for seamless Let's Encrypt generation and renewal. Like it can be done with nginx as discussed on Exclude Let's Encrypt http requests from nginx https redirect, Lets Encrypt with an nginx reverse proxy or https://community.letsencrypt.org/t/404-on-well-known-acme-challenge/15565/15.

Unfortunately, the documentation on http://www.apsis.ch/pound does not mention any proxy pass directives. Could anyone recommend how to configure Pound to pass requests to certain directories?

My configuration for now is something like:

ListenHTTP
  Address 1.2.3.4
  Port 80

  Service
      HeadRequire "Host:.*some1.myserver.net.*"
      Redirect "https://some1.myserver.net"
  End

  Service
      HeadRequire "Host:.*some2.myserver.net.*"
      Redirect "https://some2.myserver.net"
  End
End

ListenHTTPS
  Address 1.2.3.4
  Port    443

  # first domain
  Cert "/etc/pki/tls/letsencrypt_pound/pound_some1.pem"
  # second domain
  Cert "/etc/pki/tls/letsencrypt_pound/pound_some2.pem"

  Disable SSLv3
End
Nick
  • 205
  • 1
  • 8

1 Answers1

0

Instead of serving directory, you can pass http request to web server integrated into letsencrypt. Just add service (before regular service rules) like:

Service
  URL "/.well-known/acme-challenge/"
  IgnoreCase 1
  BackEnd
    Address 127.0.0.1
    Port 8180
  End
End

And then invoke letsencrypt like:

letsencrypt-auto certonly --standalone --http-01-port 8180 --standalone-supported-challenges http-01 -d domain1.com -d domain2.com -d www.domain1.com

etc (configuration from my old snippet for letsencrypt, for certbot there should be something simmilar). After that for renew - if you don't change list of supported domains - use just letsencrypt-auto renew.

undefine
  • 956
  • 8
  • 20