I have a Windows Server accesible through an public IP with some Apache Virtual Hosts configured to proxy pass to various internal servers with web applications and services (Apache acting as a reverse proxy). On one of the internal servers I want to configure HTTPS using letsencrypt.
I managed to get an working certificate and server configuration on the internal server, but the problem is my Reverse Proxy (Apache) not wanting to tunnel this HTTPS traffic.
Edit: I know it would be easier to configure the Reverse Proxy with the certificates but Let's Encrypt has no good automated options for Windows yet and manually changing the certificates every 60 days or so would be really tedious.
The Virtual Host configuration in Apache 2.4 (Windows) looks like this:
<VirtualHost *:443>
ServerName somesubdomain.mydomain.com
DocumentRoot "E:/Apache2/htdocs"
DirectoryIndex index.html
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPreserveHost On
ProxyPass / https://10.3.1.83/
ProxyPassReverse / https://10.3.1.83/
</VirtualHost>
On the 10.3.1.83 (Ubuntu/Nginx) using the certbot from letsencrypt, I generated valid certificates and configured Nginx to serve HTTPS plus the certificates.
When I access the Ubuntu/Nginx Server from inside the LAN, everything works as excpect. Using Chrome DevTools I can verify it servers the right LetsEncrypt Certificate.
Accessing the corresponding subdomain from the outside (Internet) it returns an Internal Server Error Page and in the logs Apache tells me the following:
AH00961: HTTPS: failed to enable ssl support for 10.3.1.83:443 (10.3.1.83)
Edit: Finally I found some answers: Seems like SNI proxing is not implemented in Apache, only "SNI virtual hosting". One could use HAProxy or other projects though.
Apache HTTPS reverse proxy with SNI without key on the proxy https://serverfault.com/questions/614806/apache-mod-proxy-with-https-without-key-material-using-sni https://serverfault.com/questions/625362/can-a-reverse-proxy-use-sni-with-ssl-pass-through/625364
