How to get two trusted certificates, on two servers, behind 1 IP?

I have a pretty simple set up. Nextcloud 19.0.2 on debian 10, apache2, lets encrypt. works well for me. Also I have a zentyal 6.2 server doing DHCP,DNS, LDAP, mail.

This works, but zentyal is using a self signed certificate which I believe is causing me a bit of a headache.

If I use a mail client like thunderbird, I can tell it to make an exception for the certificate, and all is fine.

What I would like to do is access SOGo on the zentyal server via
nextcloud is

I tried to make some Apache2 reverse proxy conf… but I can’t get my head around how thats supposed to work.

I tried adding the mail app to the nextcloud install, but when it tries to access the imap server, an error occurs, and I am pretty sure its to do with the certificate on zentyal being self signed. Where do I find the logs for the mail app? Because it also fails when I try to manually configure IMAP & SMTP without START/TLS or SSL.

Things I don’t get… If I had reverse proxy working, the lets encrypt just works the same on the nextcloud/apache2 server. Do I have to make that somehow trust the self signed certificate/connection of the zentyal apache2 server its being a proxy for ?

Could I get around that, by having 2 domains? Because I have a second domain, but only used an mx record to get mail to the zentyal server, obvious I can’t direct 443/80 to both.

How I have it setup

Which ever server is actually listing to 80:443 ( the server you ported 80:443 to in your modem) Is your reverse proxy for the other server that has no ports routed in your modem.

for example I have and

on I use subs office, cloud, www, mail and many more.

on for testing with subs office, www, cloud

on I have a site config for apache like so where is my local network ip of

<VirtualHost *:80>
  DirectoryIndex index.php index.html

  ProxyPass   /
  ProxyPassReverse  /


<IfModule mod_ssl.c>
         <VirtualHost *:443>
                    DirectoryIndex index.php index.html

                    ProxyPass /.well-known/carddav
                    ProxyPass /.well-known/caldav
                    ProxyPass   /
                    ProxyPassReverse  /

  # Encoded slashes need to be allowed
#  AllowEncodedSlashes     NoDecode

  # Container uses a unique non-signed certificate
  SSLProxyEngine On
  SSLProxyVerify None
  SSLProxyCheckPeerCN Off
  SSLProxyCheckPeerName Off

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/

For the sub domain office there is a separate config parsing Collabora proxy.

On the I create the SSL certificates for

I then created the SSL certificates on

which has the following apache site config

<VirtualHost *:80>
	Redirect permanent /
	DocumentRoot /var/www/nextcloud

<IfModule mod_ssl.c>
	<VirtualHost *:443>
		DocumentRoot /var/www/nextcloud

	    ErrorLog ${APACHE_LOG_DIR}/error.log
    	CustomLog ${APACHE_LOG_DIR}/access.log combined

		<FilesMatch "\.(cgi|shtml|phtml|php)$">
	    		SSLOptions +StdEnvVars
                                # Below for php-fpm
    #                            SetHandler "proxy:unix:/var/run/php/php7.4-fpm.sock|fcgi://localhost"

		<Directory /usr/lib/cgi-bin>
	    		SSLOptions +StdEnvVars

		<Directory /var/www/nextcloud>
	    		Options +FollowSymlinks
    			AllowOverride All
                                SetEnv HOME /var/www/nextcloud
                                SetEnv HTTP_HOME /var/www/nextcloud

			<IfModule mod_dav.c>
		      Dav off

                <IfModule mod_headers.c>
                          Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
            Include /etc/letsencrypt/options-ssl-apache.conf
            SSLCertificateFile /etc/letsencrypt/live/
            SSLCertificateKeyFile /etc/letsencrypt/live/

so I ran certbot for on both servers.

I hope this helps you

Thanks your example certainly gives me some clues that what I’m trying can be done, and how to go about it.
I have made modifications to my nextcloud site conf(s). However when I use SSLProxyCheckPeerName Off

I cannot get the apache service to restart.

have you got these modules loaded

a2enmod proxy
a2enmod proxy_http
a2enmod rewrite
a2enmod deflate
a2enmod headers
a2enmod proxy_wstunnel
a2enmod proxy_html
a2enmod proxy_balancer


a2enmod proxy proxy_http proxy_wstunnel proxy_html proxy_balancer headers rewrite deflate

Looked like the one missing was proxy_balancer… but even with that, Apache wont start

So my configuration is obviously pretty close, much closer than ever before. by adding the /sogo as the proxy to the IP of the other server, now when I go to I get the content of the login page, but its text & code rather than the right graphics layout.

I haven’t added any lets encrypt certificate stuff to the zentyal server. Maybe its not required as the URL seems to be trusted as is.

Okay to eliminate the php modules here is my complete list of used

actions         authn_file      autoindex       env             headers         negotiation     proxy_connect   proxy_uwsgi     setenvif        status          
alias           authz_core      cgi             expires         include         php7.4          proxy_fcgi      proxy_wstunnel  slotmem_shm     xml2enc         
auth_basic      authz_host      deflate         fcgid           mime            proxy           proxy_html      reqtimeout      socache_shmcb  

Check if you have a2enmod proxy_fcgi enables

I enabled proxy_fcgi same result.
apache2ctl -M gets me…

core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
filter_module (shared)
headers_module (shared)
mime_module (shared)
mpm_prefork_module (shared)
negotiation_module (shared)
php7_module (shared)
proxy_module (shared)
proxy_balancer_module (shared)
proxy_fcgi_module (shared)
proxy_html_module (shared)
proxy_http_module (shared)
proxy_wstunnel_module (shared)
reqtimeout_module (shared)
rewrite_module (shared)
setenvif_module (shared)
slotmem_shm_module (shared)
socache_shmcb_module (shared)
ssl_module (shared)
status_module (shared)
xml2enc_module (shared)

on the nextcloud server

That’s probably the best approach.

You can let the last hop be unencrypted (HTTPS from client to proxy, HTTP from proxy to server). Or you can configure Apache to not check the backend server’s cert.

The reverse proxy can fix that because it can serve a different site based on the SNI, even on the same IP and port. You may find it easier to use different subdomains (e.g. that point to the same IP (or one can be a CNAME of the other). This is done by setting the ServerName in your Apache sites. Then it can tell which one the client wanted.

Great reverse proxy is what I’ll go for.

After rebooting both the nextcloud and zentyal servers, I’m getting a “Service unavailable” error message via the proxy. Both nextcloud, and zen are working directly. On nextcloud in /var/log/apache2/error.log I see
AH00957: HTTP: attempt to connect to ( failed
[Mon Sep 07 17:37:20.614405 2020] [proxy_http:error] [pid 1215] [client 2406:1e00:9b10:10:3d77:5ab0:5e00:7ad0:2673] AH01114: HTTP: failed to make connection to backend:

Is ipv6 complicating it? If I try to ping 2406:1e00:9b10:10:3d77:5ab0:5e00:7ad0:2673 it doesn’t resolve, and neither server lists that as an IP they have… I might disable ipv6 on the network for now.

Turned off IPV6 but same error in browser

And what server is

I have a guide here that shows how to set up a reverse proxy. It’s written for proxying a Docker setup, but the basic concept is the same.

I did a reverse proxy for SOGo once and don’t recall having to enable so many mods. It would help to see your Apache site configs.

Its a zentyal server with SOGo installed. Sorry for the late reply. I’ll check out your guide.