MIAB certificate validation error behind apache2 reverse proxy Detail: Invalid response from http://http://exemple.ex/.well-known/acme-challenge/exemple: 404

hello The data you see has been anonymized and is not real

I explain you my problem
my MIAB server is behind a reverse proxy apache2 the problem is that I can not generate the valid certificate for the server smtp/pop/imap here are the errors obviously I have not put everything because it is repeated for each subdomain

below the errors

Domain: autodiscover.exemple.ex
   Type:   unauthorized
   Detail: Invalid response from

   Domain: exemple.ex
   Type:   unauthorized
   Detail: Invalid response from

   Domain: mta-sts.exemple.ex
   Type:   unauthorized
   Detail: Invalid response from

jI don’t see how to configure my reverse proxy to let port 80 pass through it

<VirtualHost *:80>
    ProxyPreserveHost On
    ServerName autodiscover.exemple.ex
    ProxyPass /
    ProxyPassReverse /

<VirtualHost *:443>
     ServerName autodiscover.exemple.ex

    ErrorLog  ${APACHE_LOG_DIR}/Proxy_<Extern.Sitename.de>_error.log
    CustomLog ${APACHE_LOG_DIR}/Proxy_<Extern.Sitename.de>_access.log combined
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    Header always set Access-Control-Allow-Origin "https://autodiscover.exemple.ex"
    Header always set Feature-Policy "microphone 'none'; payment 'none'; sync-xhr 'self' https://autodiscover.exemple.ex"
    Header always set Referrer-Policy "no-referrer"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Permitted-Cross-Domain-Policies "none"
    Header always set X-Robots-Tag "none"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Forwarded-For $proxy_add_x_forwarded_for;

    UseCanonicalPhysicalPort Off
    UseCanonicalName         Off
    DocumentRoot             /var/www/html/

    SSLEngine on
    SSLCertificateFile    /etc/letsencrypt/live/autodiscover.exemple.ex/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/autodiscover.exemple.ex/privkey.pem

    ProxyRequests Off
    ProxyPreserveHost On

    #SSL Connect
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off

    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    #Header always set Strict-Transport-Security "max-age=15768000"

    # Encoded slashes need to be allowed
    AllowEncodedSlashes     NoDecode

    RewriteEngine on
    RewriteCond %{HTTP:Connection} Upgrade [NC]
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteRule /(.*) wss://$1  [P,L]

    SSLProxyEngine   on
    ProxyRequests    off

    #block Proxy for letsencrypt verification!
    #ProxyPass        /.wellknown !

    ProxyPass        / flushpackets=On connectiontimeout=300 timeout=300
    ProxyPassReverse /
    ProxyTimeout     600


do you have an idea of how the incident was handled
thank you in advance

Putting your MiaB server behind a reverse proxy isn’t supported. The certificates will not generate correctly. I believe this is “an expected event”. There might be someone here that knows how to do this properly but honestly I think you will have an easy time supporting the mail server going forward.

Best advise I can give you is to put the mail server on its own dedicated IP address.

Hello, thank you for your answer

It is true that it would be easier
But I think there are some things to configure in the reverse proxy to make it work

If someone has an idea don’t hesitate
If not I will ask my operator if there is really no choice a second public IP


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.