zoraxy icon indicating copy to clipboard operation
zoraxy copied to clipboard
verified publisher icon tobychui

ACME module not compatible with "Allow plain HTTP access" option

Open gabrioth opened this issue 1 year ago • 5 comments

OS: Debian 12.9 with updated packages. Zoraxy: 3.1.6 - regular binary release. Running in: VM on Proxmox Sits behind: PfSense router with port 80 and 443 forwarded directly to the Zoraxy VM.

Issue: With a freshly installed and activated Zoraxy instance i can request and receive Let's Encrypt certificates for my DynDNS domain names via http+https challenge with 100% success rate.

If I create a Proxy Rule. Any rule. For redirection of traffic directed at any domain name to an IP on my internal network. Any request for a certificate for any domain name fails with a 403-response (pasted below). The same happens if I try to renew an already issued certificate for any domain.

The error goes away if I: A: Remove all proxy rules, then request certificates before creating rules again. or B: Set inbound port to 80 and disable "use TLS to serve proxy request" and "Enable HTTP server on port 80"

While the requested certificate is valid and the related rule is created and active; the reverse proxy works perfectly in redirecting traffic to the correct IP on my internal network based on which domain it was directed at.

Is this a bug, or related to my misunderstanding how a reverse proxy works? I have edited my IP and domain name from the below error message, but is the same for any domain until I do either A or B above:

Error: one or more domains had a problem: [test.dnsdojo.org] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 213.0.0.122: Invalid response from http://test.dnsdojo.org/.well-known/acme-challenge/r7kT830UCQHpUYm21EbKL6nj9EZyZqmYMY_2cY8qC94: 403

gabrioth avatar Jan 21 '25 16:01 gabrioth

I was able to mitigate the problem by unchecking the "Allow plain HTTP access" for all rules. Then all certificates could be issued or renewed as expected.

gabrioth avatar Jan 21 '25 20:01 gabrioth

@yeungalan Can you take a look at this real quick?

tobychui avatar Jan 21 '25 22:01 tobychui

will take a look however recently have been pretty busy with company work, so response maybe slow

yeungalan avatar Jan 22 '25 08:01 yeungalan

Solution could be like this:

  1. Temporary disable plain HTTP
  2. Get certificate
  3. Enable plain HTTP

Right now we can do this only manually, but I don't see why it couldn't be done by Zoraxy.

RTechSn avatar Oct 05 '25 11:10 RTechSn

Got into this pitfall too, disabling the "Enable HTTP server on port 80" makes it instantly working for me.

aBytex avatar Nov 01 '25 19:11 aBytex