Testing a reverse proxy‘s configurations should be done with a site’s convenience domain URL in preparation for a site launch. When the proxy testing is complete, and the application or network site (for WordPress multisite) is ready to launch, the final production domain (e.g.,
https://www.example.com) should replace the convenience domain in the configurations.
Obtaining a TLS certificate and the ACME challenge
Let’s Encrypt uses what is known as an “ACME challenge” to verify a domain’s ownership before issuing a TLS certificate. When using a reverse proxy, or if not pointing DNS directly to VIP for other reasons, the configurations may cause the ACME challenge to fail.
To meet the ACME challenge’s requirements, the reverse proxy must point requests for
* is a wildcard representing any string) to VIP. A reverse proxy’s configuration settings can be confirmed by using a cURL command.
In this example, a positive response that would meet the ACME challenge is returned by the cURL command:
$ curl -I http://www.example.com/.well-known/acme-challenge/fdfxcxvdz HTTP/1.1 200 OK Server: nginx Date: Mon, 22 Mar 2021 15:38:12 GMT Content-Type: text/plain;charset=utf-8 Connection: keep-alive Vary: Accept-Encoding Vary: Cookie
The reverse proxy must not add any query parameters on the end of the acme-challenge URL. For example, if the reverse proxy adds
?sslEnabled=true to the end of the acme-challenge string, provisioning a Let’s Encrypt certificate will fail.
In addition to a reverse proxy’s own security measures, validating the ACME challenge will ensure that the connection from a proxy to the VIP servers is secure. If it is preferred not to adjust a reverse proxy’s settings, or to not use Let’s Encrypt, it is possible to procure a custom TLS certificate from a third-party certificate authority.
Last updated: December 23, 2023