Can a reverse proxy use mod_md to renew several web site certificates?

[paulvirtuel]

Thanks a lot for mod_md, it looks like a great apache mod.

Sorry if this is not the right place to ask questions but I did not know where else to ask.

I am trying to use mod_md on several web sites (different domains) I have.

I am using apache as a reverse proxy to direct traffic to several web sites, each using apache for
now but this might change in the future.

My current setup is running on Debian Bookworm. The reverse proxy and each web site run apache in separate docker containers.

Originally, I thought I could just use mod_md in the reverse proxy and renew the certificates for all the web sites. But when I looked at https://github.com/icing/mod_md, I did not see much information on my use case.

Now I am wondering if perhaps this is not such a good idea. Can this be done, and does it make sense or is it better to have each web site deal with its own certificate?

One problem I can foresee is if I want to switch one of the apache web servers to another web server software (not apache) or add web server app, then I will need to find another way to get/update that certificate.

[icing]

I see no reason why mod_md would not work for you. The fact that you reverse proxy sites should not matter, which is why there is not description in the documentation for that use case. Note that all certificates obtained by mod_md are stored in the file system, free for you to copy them anywhere else you'd need them.

As to switching away from Apache to another server, if that is on your roadmap, then it'd make sense to invest your time into another ACME solution. But every ACME solution will involve web servers and their particulars in some way.

[paulvirtuel]

Thanks for taking the time to answer my questions.

Great, it is good to know I am going in the right direction.

I am still trying to configure the Apache reverse proxy for taking care of all the web site domains. Also, I was thinking I could keep all the encryption (port 443) within the reverse proxy so that all the individual Apache web sites would only serve unencrypted data (port 80). Not sure if this is the best idea in the long term though, if I want to add server load balancing at one point.

So far, I have added the following on the reverse proxy for each domain:

ServerAdmin my_email@my_domain.com
MDCertificateAgreement accepted
MDomain web_site1.com www.web_site1.com mail.web_site1.com
MDPrivateKeys RSA 4096

<Location "/md-status">
  SetHandler md-status
</Location>

<VirtualHost *:443>
        ServerName www.web_site1.com
        # SSLProxyEngine On   needed if passing to https below
        RequestHeader set X-Forwarded-Proto "https"
        RequestHeader set X-Forwarded-Port "443"
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/web_site1-certs.pem
        SSLCertificateKeyFile /etc/letsencrypt/web_site1-key.pem

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log vhost_combined_custom

        ProxyRequests Off
        ProxyPreserveHost On
        AllowEncodedSlashes NoDecode

        ProxyPass /.well-known/acme-challenge !
        ProxyPass / http://web_site1.com:8081/
        ProxyPassReverse / http://web_site1.com:8081/
</VirtualHost>

The goal was to have the Apache reverse proxy do everything related to encryption without changing the individual Apache web servers. Again, not sure if this is the best idea.

I am not planning to be switching away from Apache, but you never know. It was more the web server apps that I did not know how to get certificates for, without Apache mod_md.