MIAB certificate validation error behind apache2 reverse proxy Detail: 118.17.217.5: Invalid response from http://http://exemple.ex/.well-known/acme-challenge/exemple: 404

anon91819005 · June 2, 2022, 8:59pm

hello The data you see has been anonymized and is not real

I explain you my problem
my MIAB server is behind a reverse proxy apache2 the problem is that I can not generate the valid certificate for the server smtp/pop/imap here are the errors obviously I have not put everything because it is repeated for each subdomain

below the errors

Domain: autodiscover.exemple.ex
   Type:   unauthorized
   Detail: 118.17.217.5: Invalid response from
   http://autodiscover.exemple.ex/.well-known/acme-challenge/FfGi1zUpa5Yjk1apHjfAaNhkglGEVa0TfPAn8fvVUIg:
   404

   Domain: exemple.ex
   Type:   unauthorized
   Detail: 118.17.217.5: Invalid response from
   http://exemple.ex/.well-known/acme-challenge/6uzG5dgfES1tXlZ-cNyN3NpFjUlo-CozyiJeh9BcbvA:
   404

   Domain: mta-sts.exemple.ex
   Type:   unauthorized
   Detail: 118.17.217.5: Invalid response from
   http://http://exemple.ex/.well-known/acme-challenge/TKfMdHWZiG_cVMZPcsHCqGa25tFPm5ZybeUui20Oo40:
   404

jI don’t see how to configure my reverse proxy to let port 80 pass through it

<VirtualHost *:80>
    ProxyPreserveHost On
    ServerName autodiscover.exemple.ex
    ProxyPass / http://192.168.1.19:80/
    ProxyPassReverse / http://192.168.1.19:80/
</VirtualHost>



<VirtualHost *:443>
     ServerName autodiscover.exemple.ex

    ErrorLog  ${APACHE_LOG_DIR}/Proxy_<Extern.Sitename.de>_error.log
    CustomLog ${APACHE_LOG_DIR}/Proxy_<Extern.Sitename.de>_access.log combined
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    Header always set Access-Control-Allow-Origin "https://autodiscover.exemple.ex"
    Header always set Feature-Policy "microphone 'none'; payment 'none'; sync-xhr 'self' https://autodiscover.exemple.ex"
    Header always set Referrer-Policy "no-referrer"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Permitted-Cross-Domain-Policies "none"
    Header always set X-Robots-Tag "none"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Forwarded-For $proxy_add_x_forwarded_for;


    UseCanonicalPhysicalPort Off
    UseCanonicalName         Off
    DocumentRoot             /var/www/html/

    SSLEngine on
    SSLCertificateFile    /etc/letsencrypt/live/autodiscover.exemple.ex/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/autodiscover.exemple.ex/privkey.pem

    ProxyRequests Off
    ProxyPreserveHost On

    #SSL Connect
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off

    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    #Header always set Strict-Transport-Security "max-age=15768000"

    # Encoded slashes need to be allowed
    AllowEncodedSlashes     NoDecode

    RewriteEngine on
    RewriteCond %{HTTP:Connection} Upgrade [NC]
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteRule /(.*) wss://192.168.1.19:443/$1  [P,L]

    SSLProxyEngine   on
    ProxyRequests    off

    #block Proxy for letsencrypt verification!
    #ProxyPass        /.wellknown !


    ProxyPass        / https://192.168.1.19:443/ flushpackets=On connectiontimeout=300 timeout=300
    ProxyPassReverse / https://192.168.1.19:443/
    ProxyTimeout     600

</VirtualHost>

do you have an idea of how the incident was handled
thank you in advance
Sincerely

stylnchris · June 2, 2022, 11:00pm

Putting your MiaB server behind a reverse proxy isn’t supported. The certificates will not generate correctly. I believe this is “an expected event”. There might be someone here that knows how to do this properly but honestly I think you will have an easy time supporting the mail server going forward.

Best advise I can give you is to put the mail server on its own dedicated IP address.

anon91819005 · June 3, 2022, 6:11am

Hello, thank you for your answer

It is true that it would be easier
But I think there are some things to configure in the reverse proxy to make it work

If someone has an idea don’t hesitate
If not I will ask my operator if there is really no choice a second public IP

Sincerely

system · June 10, 2022, 6:11am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.