Apache2 proxy, Docker, LetsEncrypt

eudoxos · November 20, 2022, 10:10pm

I am trying to install containerized Jitsi following Self-Hosting Guide - Docker | Jitsi Meet . Containers are up, but I can’t figure out correct proxy options for Apache2 so that LetsEncrypt succeeds — so I did not even get to Jitsi stuff yet. The Docker handbook does not cover this scenario (only mentions wss: proxy setup) unfortunately. What I get is from the Apache2 logs is:

 AH00898: Error during SSL Handshake with remote server

and I could not find the correct solution despite googling around and testing various posted configs.

Can someone shed light on this?

Thanks!

Apache site config:

<VirtualHost *:80>
    ServerName meet.[domain.tld]
    # this should make LetsEncrypt happy
    Redirect permanent / https://meet.[domain.tld]
</VirtualHost>
<VirtualHost *:443>
        ServerName meet.[domain.tld]
        ProxyTimeout 900
        SSLProxyEngine on
        ProxyPreserveHost off   # not sure
        ProxyRequests off       # not sure
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off
        LogLevel ssl:debug
        RequestHeader set X-Forwarded-Proto "https"

        # proxy itself
        ProxyPass        / https://localhost:8443/
        ProxyPassReverse / https://localhost:8443/

        # not sure if this is needed
        RewriteEngine on
        RewriteCond %{HTTP:Upgrade} websocket [NC]
        RewriteCond %{HTTP:Connection} upgrade [NC]

        #this is from the handbook
        <Location "/xmpp-websocket">
            ProxyPass "wss://localhost:8443/xmpp-websocket"
        </Location>
        <Location "/colibri-ws/">
            ProxyPass "wss://localhost:8443/colibri-ws/"
        </Location>
</VirtualHost>

Container log (exceprt):

web_1      | [Sun Nov 20 21:55:56 UTC 2022] Verifying: meet.[domain.tld]
web_1      | [Sun Nov 20 21:55:56 UTC 2022] Standalone mode server 
web_1      | [Sun Nov 20 21:56:00 UTC 2022] meet.[domain.tld]:Verify error:49.12.185.50: Invalid response from https://meet.[domain.tld]/.well-known/acme-challenge/GfaIC29iIBlijONd8OjmkrdQqp-XcwGAs4xmiMJnRYQ: 500 
web_1      | [Sun Nov 20 21:56:00 UTC 2022] Please add '--debug' or '--log' to check more details.

Apache access.log (it is receiving the request from LetsEncrypt server):

meet.[domain.tld]:80 35.93.97.92 - - [20/Nov/2022:21:55:58 +0000] "GET /.well-known/acme-challenge/GfaIC29iIBlijONd8OjmkrdQqp-XcwGAs4xmiMJnRYQ HTTP/1.1" 500 5314 "http://meet.[domain.tld]/.well-known/acme-challenge/GfaIC29iI
BlijONd8OjmkrdQqp-XcwGAs4xmiMJnRYQ" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

Apache error.log (communication with the containerized server):

[Sun Nov 20 21:55:58.658359 2022] [ssl:debug] [pid 565073:tid 140318326388480] ssl_engine_io.c(1147): [client 35.93.97.92:41120] AH02001: Connection closed to child 85 with standard shutdown (server meet.[domain.tld]:80) 
[Sun Nov 20 21:55:58.718255 2022] [ssl:debug] [pid 565073:tid 140318309603072] ssl_engine_kernel.c(415): [client 23.178.112.107:26558] AH02034: Initial (No.1) HTTPS request received for child 87 (server meet.[domain.tld]:80), referer: http://meet.[domain.tld]/.well-known/acme-challenge/GfaIC29iIBlijONd8OjmkrdQqp-XcwGAs4xmiMJnRYQ 
[Sun Nov 20 21:55:58.718530 2022] [ssl:info] [pid 565073:tid 140318309603072] [remote 127.0.0.1:8443] AH01964: Connection to child 0 established (server meet.[domain.tld]:80) 
[Sun Nov 20 21:55:58.718796 2022] [ssl:info] [pid 565073:tid 140318309603072] [remote 127.0.0.1:8443] AH02003: SSL Proxy connect failed 
[Sun Nov 20 21:55:58.718828 2022] [ssl:info] [pid 565073:tid 140318309603072] [remote 127.0.0.1:8443] AH01998: Connection closed to child 0 with abortive shutdown (server meet.[domain.tld]:80) 
[Sun Nov 20 21:55:58.718859 2022] [ssl:info] [pid 565073:tid 140318309603072] [remote 127.0.0.1:8443] AH01997: SSL handshake failed: sending 502 
[Sun Nov 20 21:55:58.718876 2022] [proxy:error] [pid 565073:tid 140318309603072] (20014)Internal error (specific information not available): [client 23.178.112.107:26558] AH01084: pass request body failed to 127.0.0.1:8443 (localhost), referer: http://meet.[domain.tld]/.well-known/acme-challenge/GfaIC29iIBlijONd8OjmkrdQqp-XcwGAs4xmiMJnRYQ 
[Sun Nov 20 21:55:58.718943 2022] [proxy:error] [pid 565073:tid 140318309603072] [client 23.178.112.107:26558] AH00898: Error during SSL Handshake with remote server returned by /.well-known/acme-challenge/GfaIC29iIBlijONd8OjmkrdQqp-XcwGAs4xmiMJnRYQ, referer: http://meet.[domain.tld]/.well-known/acme-challenge/GfaIC29iIBlijONd8OjmkrdQqp-XcwGAs4xmiMJnRYQ 
[Sun Nov 20 21:55:58.718963 2022] [proxy_http:error] [pid 565073:tid 140318309603072] [client 23.178.112.107:26558] AH01097: pass request body failed to 127.0.0.1:8443 (localhost) from 23.178.112.107 (), referer: http://meet.[domain.tld]/.well-known/acme-challenge/GfaIC29iIBlijONd8OjmkrdQqp-XcwGAs4xmiMJnRYQ

emrah · November 21, 2022, 7:48am

Some location blocks are missing in your config. Lets Encrypt cannot create the certificate without them.

github.com

jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet/jitsi-meet.example#L18-L33


      
          server {
              listen 80;
              listen [::]:80;
              server_name jitsi-meet.example.com;
          
          
    location ^~ /.well-known/acme-challenge/ {
                  default_type "text/plain";
                  root         /usr/share/jitsi-meet;
              }
              location = /.well-known/acme-challenge/ {
                  return 404;
              }
              location / {
                  return 301 https://$host$request_uri;
              }
          }

eudoxos · November 21, 2022, 8:25am

I don’t think this applies to the Docker setup, that is all handled inside the container.

Anyway, I abandoned the dockerized LetsEncrypt in favor LetsEncrypting the proxy itself, that is much easier.