Configuring Lets Encrypt Certificates when behind a Load Balancer

Keywords: WordPress - Google Cloud Platform - Technical issue - Secure Connections (SSL/HTTPS)

bndiagnostic ID: 31be8549-6a8c-a1c0-8c74-9be813ddd26e

bndiagnostic output:

? Resources: Found possible issues
? Apache: Found possible issues
? Wordpress: Found possible issues
https://docs.bitnami.com/installer/faq/linux-faq/administration/increase-memory-linux/
https://docs.bitnami.com/general/apps/wordpress/troubleshooting/debug-errors-apache/

bndiagnostic failure reason: The suggested guides are not related with my issue

Description:
Please describe the method to manage and configure LetsEncrypt certificates for auto renewal when the application server is behind a Load Balancer.

The website is on GCP and the Load Balancer has its own certificate. The page “Generate And Install A Let’s Encrypt SSL Certificate For A Bitnami Application” indicates that this must be configured with additional parameters.

The website server has a crontab for auto renewal, and LetsEncrypt certs installed before the Load Balancer was deployed. The domain A records point to the Load Balancer (not the web server).

Thank you,
Aaron

Hi @aaron2022,

Please check this guide:

https://docs.bitnami.com/aws/how-to/configure-elb-ssl-aws/

It’s for AWS but on the server side the steps are the same.

Regards,
Michiel

Hello,

Thank you for your attention to this. I see that these topics/community support are all moving to GitHub soon, but I really need help clarifying this please.

The Steps here:
https://docs.bitnami.com/google/how-to/generate-install-lets-encrypt-ssl/#step-5-renew-the-lets-encrypt-certificate

At Step 5 - I try to renew and the process fails and seems to crash the server.

On that page I noted that the instructions seem to be different when behind a Load Balancer.

Step 2: Generate A Let’s Encrypt Certificate For Your Domain
NOTE: Before proceeding with this step, ensure that your domain name points to the public IP address of the Bitnami application host. If the Bitnami application host is behind a load balancer or CDN, the commands below require additional parameters, which can be provided by the Bitnami support team on request.

Please note:

  • The website was initially created without the load balancer, the ssl was installed using LetsEncrypt and we have renewed the certificate previously (prior to creating the load balancer)
  • The web server modifications we made when we added the load balancer, are described here - Load Balancer and Bitnami application instance SSL - #17 by aaron2022
  • These modifications were made to the wp-config.php file and wordpress-vhost.conf in the GCP configuration.

Your note, @michiel ,refers to the Steps on an AWS setup:
https://docs.bitnami.com/aws/how-to/configure-elb-ssl-aws/

As you mentioned, I’m working on GCP, but I’m looking at the notes you sent and looking at

Step 4: Modify The Web Server Configuration On The Bitnami Application Instance

Can you please confirm that we need to modify, this file:
/opt/bitnami/apps/letsencrypt/conf/httpd-prefix.conf

By adding this line:

SetEnvIf x-forwarded-proto https HTTPS=on

AND also, modify wp-config.php to add these lines before define site URL and site Home:

if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) $_SERVER['HTTPS']='on';

AND then finally

Step 5: Force HTTPS

this file: /opt/bitnami/apache/conf/bitnami/bitnami.conf

  <VirtualHost *:80>
  ...
  RewriteEngine On
  RewriteCond %{HTTP:X-Forwarded-Proto} !https
  RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI}
  ...

Please confirm:

  • Would the last section, to be added to bitnami.conf be added beneath the existing rewrite rules?
  • Will this allow me lego cert tool to renew the certificate on this server even though its behind a load balancer?
  • I would like to complete those steps “renew-the-lets-encrypt-certificate”, and add the script as recommended so that these certificates are updated automatically. Will these steps allow that function to run normally?

Thank you again for your attention to this.
aaron2022

Please note - the files structure is quite different for GCP.
I’m very unsure which files to edit when adapting your notes to GCP.

The primary goal of my request is find out how to renew the LetsEncrypt Certificates now that the GCP load balancer is in place.

Hi @aaron2022,

The bncert tool configures a Let’s Encrypt SSL certificate and sets up automatic renewal:

https://docs.bitnami.com/aws/how-to/understand-bncert/

Regards,
Michiel

Hi @michiel -

The tool did not work when I ran it behind the load balancer. That is the issue I need support with. I ran the tool to try to renew certificates that are about to expire, and found that it crashed the server.

Can you please confirm for “Google Cloud, Marketplace Method, Approach A” - what changes do I need to make, to which files to allow the Bncert tool to function properly when, behind the load balancer.

The documentation says to ask for support for when behind a load balancer.

https://docs.bitnami.com/google/how-to/generate-install-lets-encrypt-ssl/#step-2-generate-a-lets-encrypt-certificate-for-your-domain

Step 2: Generate A Let’s Encrypt Certificate For Your Domain
NOTE: Before proceeding with this step, ensure that your domain name points to the public IP address of the Bitnami application host. If the Bitnami application host is behind a load balancer or CDN, the commands below require additional parameters, which can be provided by the Bitnami support team on request.

When I ran the tool before asking for support, my server crashed and I had to restart. Please provide the additional parameters for GCP. Or please confirm the files (and paths) that I need to modify?

Where the instructions are pointing to paths for files that are not the same on GCP

Path

/opt/bitnami/apps/letsencrypt/conf/httpd-prefix.conf

Insert

SetEnvIf x-forwarded-proto https HTTPS=on

and also modifiy the file: “wp-config.php” before define site URL and site Home to insert:

if (strpos($_SERVER[‘HTTP_X_FORWARDED_PROTO’], ‘https’) !== false) $_SERVER[‘HTTPS’]=‘on’;

And also modify the file:

/opt/bitnami/apache/conf/bitnami/bitnami.conf

Insert

  <VirtualHost *:80>
  ...
  RewriteEngine On
  RewriteCond %{HTTP:X-Forwarded-Proto} !https
  RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI}
  ...

Please confirm, is this what I need to modify?
Please confirm, would the last section, to be added to bitnami.conf be added beneath the existing rewrite rules?

Thank you,
Aaron

Hi @michiel

Could it be that my changes to the file “wordpress-vhost.conf” - (made to support the Load Balancer on GCP, documented here, my other community thread) have prevented the bncert tool from being able to access the files at .well-known?

As noted on the “…/google/how-to/understand-bncert” documentation you referenced.

  • The web server configuration is invalid. Check that files inside /opt/bitnami/apps/letsencrypt/.well-known are accessible at http://SERVER-IP/.well-known for all domains.

A little further down the page, there is also a note about Custom Virtual Hosts and bypassing for this /.well-known

For this server

  • where the certificate is not renewing automatically,
  • and this server is behind the load balancer,
  • and I have Virtual Host settings in vhosts/wordpress-vhost.conf

Do I need to disable redirection/rewrites for this /.well-known by adding

  • Custom redirections are enabled. In such case you need to disable the redirection when accessing /.well-known by adding the following rule, right before the line performing the redirection, inside the virtual host:
  RewriteCond %{REQUEST_URI} !^/\.well-known

If it would help, I will post a copy of my current settings in the wordpress-vhost.conf file - but, can you confirm what changes I need to make to run bnn-cert and auto-renewal behind a load balancer?

Thank you,
Aaron

Hello, @michiel

My configuration has a rewrite rule that will not allow users to browse the Virtual Machine’s IP.
I have modified the "wordpress-vhost.conf” to disable redirection when accessing “/.well-known”.

After restarting the server, I was able to run the bncert-tool normally. :slight_smile:

Because we are behind a load balancer though, and our A Records point to the load balancer’s IP address, we are getting an error trying to renew the certificates. See below.

How can we fix this error ?

...
Domain list []: mydomainnameformytestsite.com
Warning: A certificate for the list of domains you entered already exists. It
will be used instead of generating a new one.
Press [Enter] to continue:
Warning: The domain 'mydomainnameformytestsite.com' resolves to a different IP address than the
one detected for this machine, which is 'bbb.bbb.bbb.bbb'. Please fix its DNS
entries or remove it. For more info see:
https://docs.bitnami.com/general/faq/configuration/configure-custom-domain/
Press [Enter] to continue:

Please let me know, I am about to have my current LetsEncrypt certificates expire.

Thank you,
Aaron

Hello,

@michiel - Thanks again for your attention on this. I am able to run the bncert-tool now.

It runs behind the load balancer. I had to make changes to my wordpress-vhost.conf to ensure that the directory “/.well-known” was bypassed in my rewrites for the IP address of the virtual machine that hosts the site.

  • The bncert-tool detects the certificate that was installed prior to the load balancer.
  • The tool also detects that the A record of the Domain is not pointing to this machine.

So the bncert-tool is functioning, but it won’t save changes to the VM server that is behind the Load Balancer.

Please note, we have the Load Balancer working and the front end appears fine:

  • The load balancer has its own certificate from Google (appears fine)
  • The load balancer communicates with the Virtual Machine which hosts the website and we “Trust” this network
  • We have rewrites that redirect traffic to the VM IP address - to the Load Balancer using the hostname explicitly (so no traffic is allowed at the VM)

The question is really what to do now with the LetsEncrypt Certificates?

If we should remove the LetsEncrypt certs now that we are behind the Load Balancer, can you please advise how:

Noting the article about troubleshooting the LetsEncrypt SSL - it looks like the instructions for Apache are pointing to files that are not present on the Google Cloud Platform Marketplace Method (A). Is there a recommended way to do this?

Thank you again!
Aaron