natemcmaster/LettuceEncrypt

How to validate the domain if the project runs behind a reverse proxy (YARP) [Question]

MarianSWA opened this issue · 5 comments

Hi, I'm not sure if this is a bug so I'll ask a question first.
I'm running a .Net 6 project (using LettuceEncrypt) on a server localhost port, and another YARP project which runs on that server/domain (and all subdomains) which is routing all public traffic to the server local port.
The problem is when validating the subdomain, when the project starts on the server I'm getting

Failed to validate ownership of domainName 'subdomain.domain.io'. Reason: urn:ietf:params:acme:error:connection: 1.1.1.1: Error getting validation data, Code = BadRequest

If I add AddLettuceEncrypt directly on the YARP project everything works just perfect, and my domain is validated.
The problem is that while the YARP reverse proxy runs constantly, the projects to which it routes traffic are not known beforehand. So if I add the AddLettuceEncrypt directly on the project, the subdomain is not being validated.

This makes me think that LettuceEncrypt adds some validation challenges that are not routed by YARP. Is this a bug? Or is there some additional configuration to be done? Maybe ".well-known/acme-challenge" is added as some kind of static files which are not routed by YARP?

If this is the case I'm happy to help fix it, if someone could point me to the part which is not routed by YARP.

I think the issue is only with validation, as the projects being on the same server, I can write some custom certificate repo and source, to load the required certificated, provided the domain validation passes.

Thanks in advance!

Setting up LettuceEncrypt on the reverse proxy (like YARP) is the correct approach. It needs to be set up on the public endpoint where TLS is managed. YARP terminates TLS before proxying requests.

Thanks for replying @Tratcher. @MarianSWA see https://github.com/natemcmaster/LettuceEncrypt/wiki/Will-this-work-for-me%3F#aspnet-core-with-kestrel-behind-a-reverse-proxy for a diagram of this situation. And no, this is not supported by this project.

Thanks both for replying, this helped me understand why it's not working like I expected for this particular workflow.
Do you guys know, is there any other way to get a certificate for a subdomain that is not known at the time of running the main application?
I'm thinking of an API/service that can be called on the project (the one that runs the reverse proxy as well as the "AddLettuceEncrypt()" ) that could do the same thing but for another domain/subdomain (not present in appsettings.json).
@natemcmaster if this is remotely possible, I could give it a try or I could pay someone to implement this in the library. I think that being able to run it programatically could help in a bunch of other cases too. If this is the case (and it's possible) could you point me to the right place in code? Thanks!

This issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please comment if you believe this should remain open, otherwise it will be closed in 14 days. Thank you for your contributions to this project.

Closing due to inactivity.
If you are looking at this issue in the future and think it should be reopened, please make a commented here and mention natemcmaster so he sees the notification.