Apache2 proxy, Docker, LetsEncrypt

I am trying to install containerized Jitsi following Self-Hosting Guide - Docker | Jitsi Meet . Containers are up, but I can’t figure out correct proxy options for Apache2 so that LetsEncrypt succeeds — so I did not even get to Jitsi stuff yet. The Docker handbook does not cover this scenario (only mentions wss: proxy setup) unfortunately. What I get is from the Apache2 logs is:

 AH00898: Error during SSL Handshake with remote server

and I could not find the correct solution despite googling around and testing various posted configs.

Can someone shed light on this?


Apache site config:

<VirtualHost *:80>
    ServerName meet.[domain.tld]
    # this should make LetsEncrypt happy
    Redirect permanent / https://meet.[domain.tld]
<VirtualHost *:443>
        ServerName meet.[domain.tld]
        ProxyTimeout 900
        SSLProxyEngine on
        ProxyPreserveHost off   # not sure
        ProxyRequests off       # not sure
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off
        LogLevel ssl:debug
        RequestHeader set X-Forwarded-Proto "https"

        # proxy itself
        ProxyPass        / https://localhost:8443/
        ProxyPassReverse / https://localhost:8443/

        # not sure if this is needed
        RewriteEngine on
        RewriteCond %{HTTP:Upgrade} websocket [NC]
        RewriteCond %{HTTP:Connection} upgrade [NC]

        #this is from the handbook
        <Location "/xmpp-websocket">
            ProxyPass "wss://localhost:8443/xmpp-websocket"
        <Location "/colibri-ws/">
            ProxyPass "wss://localhost:8443/colibri-ws/"

Container log (exceprt):

web_1      | [Sun Nov 20 21:55:56 UTC 2022] Verifying: meet.[domain.tld]
web_1      | [Sun Nov 20 21:55:56 UTC 2022] Standalone mode server 
web_1      | [Sun Nov 20 21:56:00 UTC 2022] meet.[domain.tld]:Verify error: Invalid response from https://meet.[domain.tld]/.well-known/acme-challenge/GfaIC29iIBlijONd8OjmkrdQqp-XcwGAs4xmiMJnRYQ: 500 
web_1      | [Sun Nov 20 21:56:00 UTC 2022] Please add '--debug' or '--log' to check more details. 

Apache access.log (it is receiving the request from LetsEncrypt server):

meet.[domain.tld]:80 - - [20/Nov/2022:21:55:58 +0000] "GET /.well-known/acme-challenge/GfaIC29iIBlijONd8OjmkrdQqp-XcwGAs4xmiMJnRYQ HTTP/1.1" 500 5314 "http://meet.[domain.tld]/.well-known/acme-challenge/GfaIC29iI
BlijONd8OjmkrdQqp-XcwGAs4xmiMJnRYQ" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

Apache error.log (communication with the containerized server):

[Sun Nov 20 21:55:58.658359 2022] [ssl:debug] [pid 565073:tid 140318326388480] ssl_engine_io.c(1147): [client] AH02001: Connection closed to child 85 with standard shutdown (server meet.[domain.tld]:80) 
[Sun Nov 20 21:55:58.718255 2022] [ssl:debug] [pid 565073:tid 140318309603072] ssl_engine_kernel.c(415): [client] AH02034: Initial (No.1) HTTPS request received for child 87 (server meet.[domain.tld]:80), referer: http://meet.[domain.tld]/.well-known/acme-challenge/GfaIC29iIBlijONd8OjmkrdQqp-XcwGAs4xmiMJnRYQ 
[Sun Nov 20 21:55:58.718530 2022] [ssl:info] [pid 565073:tid 140318309603072] [remote] AH01964: Connection to child 0 established (server meet.[domain.tld]:80) 
[Sun Nov 20 21:55:58.718796 2022] [ssl:info] [pid 565073:tid 140318309603072] [remote] AH02003: SSL Proxy connect failed 
[Sun Nov 20 21:55:58.718828 2022] [ssl:info] [pid 565073:tid 140318309603072] [remote] AH01998: Connection closed to child 0 with abortive shutdown (server meet.[domain.tld]:80) 
[Sun Nov 20 21:55:58.718859 2022] [ssl:info] [pid 565073:tid 140318309603072] [remote] AH01997: SSL handshake failed: sending 502 
[Sun Nov 20 21:55:58.718876 2022] [proxy:error] [pid 565073:tid 140318309603072] (20014)Internal error (specific information not available): [client] AH01084: pass request body failed to (localhost), referer: http://meet.[domain.tld]/.well-known/acme-challenge/GfaIC29iIBlijONd8OjmkrdQqp-XcwGAs4xmiMJnRYQ 
[Sun Nov 20 21:55:58.718943 2022] [proxy:error] [pid 565073:tid 140318309603072] [client] AH00898: Error during SSL Handshake with remote server returned by /.well-known/acme-challenge/GfaIC29iIBlijONd8OjmkrdQqp-XcwGAs4xmiMJnRYQ, referer: http://meet.[domain.tld]/.well-known/acme-challenge/GfaIC29iIBlijONd8OjmkrdQqp-XcwGAs4xmiMJnRYQ 
[Sun Nov 20 21:55:58.718963 2022] [proxy_http:error] [pid 565073:tid 140318309603072] [client] AH01097: pass request body failed to (localhost) from (), referer: http://meet.[domain.tld]/.well-known/acme-challenge/GfaIC29iIBlijONd8OjmkrdQqp-XcwGAs4xmiMJnRYQ 

Some location blocks are missing in your config. Lets Encrypt cannot create the certificate without them.

I don’t think this applies to the Docker setup, that is all handled inside the container.

Anyway, I abandoned the dockerized LetsEncrypt in favor LetsEncrypting the proxy itself, that is much easier.