{"id":8845,"date":"2017-09-12T04:22:59","date_gmt":"2017-09-12T03:22:59","guid":{"rendered":"https:\/\/kb.okra.host\/article\/lets-encrypt-behind-a-reverse-proxy\/"},"modified":"2021-04-06T14:42:47","modified_gmt":"2021-04-06T13:42:47","slug":"lets-encrypt-behind-a-reverse-proxy","status":"publish","type":"ht_kb","link":"https:\/\/kb.okra.host\/de\/article\/lets-encrypt-behind-a-reverse-proxy\/","title":{"rendered":"Let's Encrypt hinter einem Reverse-Proxy"},"content":{"rendered":"<p>By default, apnscp will perform an IP check to ensure a hostname maps back to the configured IP address before issuing a certificate. This is true for both initial requests and automatic renewals. Automatic renewals occur 10 days before expiration. Both the panel and API allow you to circumvent this requirement.<\/p>\n<p><strong>This does not bypass DNS propagation or domains that are unreachable via DNS.<\/strong> This only affects hostnames that are behind a reverse proxy such as CloudFlare or SiteLock. A challenge must still be accessible from the domain, which points to a random location on the server. This is consistent with Let&#8217;s Encrypt&#8217;s ACME server that performs the mandatory check before issuing a certificate for each hostname.<\/p>\n<h2 id=\"issuance-panel\" >Issuance &#8211; Panel<\/h2>\n<p>Only certificate issues may be bypassed within apnscp. To bypass a DNS check on certificate issuance, disable the IP check option.<\/p>\n<div id=\"attachment_1501\" style=\"width: 310px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/kb.apiscp.com\/wp-content\/uploads\/2017\/09\/bypass-le-check.png\" rel=\"lightbox-0\"><img decoding=\"async\" aria-describedby=\"caption-attachment-1501\" loading=\"lazy\" class=\"size-medium wp-image-1501\" src=\"https:\/\/kb.apiscp.com\/wp-content\/uploads\/2017\/09\/bypass-le-check-300x134.png\" alt=\"\" width=\"300\" height=\"134\" \/><\/a><\/p>\n<p id=\"caption-attachment-1501\" class=\"wp-caption-text\">Bypassing DNS check for Let&#8217;s Encrypt within apnscp<\/p>\n<\/div>\n<h2 id=\"renewal-beacon-api\" >Renewal &#8211; Beacon\/API<\/h2>\n<p>The API must be used to renew Let&#8217;s Encrypt certificates if DNS bypass checks are necessary. This may change in the future. <a href=\"https:\/\/kb.apiscp.com\/control-panel\/scripting-with-beacon\/\">Bake<\/a> provides a frontend to the API, and for the sake of simplicity, will be used in this discussion. After configuring Beacon, access <a href=\"http:\/\/api.apnscp.com\/source-class-Letsencrypt_Module.html\">letsencrypt_renew<\/a> and pass false to the optional <em>verifyip<\/em> parameter. This will disable IP verification checks that cascade into <a href=\"http:\/\/api.apnscp.com\/source-class-Letsencrypt_Module.html\">letsencrypt_request<\/a>.<\/p>\n<pre data-language=\"shell\"><code>beacon eval letsencrypt_renew 0<\/code><\/pre>\n<p>Because the panel will <strong>automatically renew<\/strong> SSL certificates beginning <strong>10 days before expiration<\/strong>, this should be done every 60-80 days. If it fails, no email will be generated, so pay heed to the return value.<\/p>\n<p>To simplify operation, add a scheduled task to run monthly or bimonthly within apnscp via <strong>Dev<\/strong> &gt; <strong>Task Scheduler<\/strong>.<\/p>","protected":false},"excerpt":{"rendered":"<p>By default, apnscp will perform an IP check to ensure a hostname maps back to the configured IP address before issuing a certificate. This is true for both initial requests and automatic renewals. Automatic renewals occur 10 days before expiration. Both the panel and API allow you to circumvent this&#8230;<\/p>","protected":false},"author":1,"comment_status":"open","ping_status":"closed","template":"","format":"standard","meta":{"footnotes":""},"ht-kb-category":[67],"ht-kb-tag":[],"class_list":["post-8845","ht_kb","type-ht_kb","status-publish","format-standard","has-post-thumbnail","hentry","ht_kb_category-ssl"],"_links":{"self":[{"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb\/8845","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb"}],"about":[{"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/types\/ht_kb"}],"author":[{"embeddable":true,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/comments?post=8845"}],"version-history":[{"count":1,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb\/8845\/revisions"}],"predecessor-version":[{"id":8846,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb\/8845\/revisions\/8846"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/media\/8847"}],"wp:attachment":[{"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/media?parent=8845"}],"wp:term":[{"taxonomy":"ht_kb_category","embeddable":true,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb-category?post=8845"},{"taxonomy":"ht_kb_tag","embeddable":true,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb-tag?post=8845"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}