Issue with ACME Certificates Refresh & Restarting HAProxy

Maxpower

Hello fellow pfSense users,

I've encountered an issue that I hope some of you might have come across and can assist with. I'm currently utilizing ACME Certificates and I have set it up such that when a certificate is refreshed, HAProxy should restart with the new certificate. For this, I have configured the command /usr/local/etc/rc.d/haproxy.sh to restart HAProxy, as its described in the GUI

However, it seems the restart is not working as intended. Whenever ACME refreshes a certificate and the aforementioned command is executed, I see the following error in the logs:

/status_services.php: The command '/usr/local/etc/rc.d/haproxy.sh stop' returned exit code '1', the output was 'Stopping haproxy. Waiting for PIDS: 81463. Stopping haproxy. No matching processes were found'

From the error, it appears that the script is trying to stop HAProxy, but then either it's not finding the process to stop or there's some other issue that's preventing it from stopping successfully.

Some steps I have tried:

Checking the permissions on the haproxy.sh script to ensure it's executable. Which looks good to me:

-rwxr-xr-x  1 root  wheel  1533 Jul 30 08:52 /usr/local/etc/rc.d/haproxy.sh

Ensuring that HAProxy is actually running before the script is executed.
I would really appreciate any insights or suggestions on what might be going wrong here or if anyone has faced a similar issue. Any guidance on troubleshooting or resolving this would be a big help!

Thanks in advance for your support!

Best regards,
Max

Maxpower

oh wups, saw my mistake. Replying for anyone else who runs into this in the future.

I had configured the shell command to run as:

/usr/local/etc/rc.d/haproxy.sh

But it needs to be

/usr/local/etc/rc.d/haproxy.sh restart

fxandrei

@Maxpower said in Issue with ACME Certificates Refresh & Restarting HAProxy:

For this, I have configured the command /usr/local/etc/rc.d/haproxy.sh to restart HAProxy, as its described in the GUI

What exactly did you do here ?
Can you go into detail ?

EChondo

@fxandrei Found this thread via Google. And I figured out what OP did, so here's the explanation:

In the pfSense webpage do:

1. Click on "Services"
2. Select "Acme Certificates"
3. Edit any of your certificate entries by clicking on the pencil icon.
4. Scroll to the bottom of the certificate edit page and find the "Actions list" section.
5. Click on "Add" to add a new action and fill out the information as needed. For HAProxy restarting do:
   1. Mode: Enabled
   2. Command: /usr/local/etc/rc.d/haproxy.sh restart
   3. Method: Shell Command
6. And finally "Save" at the bottom of the cert edit page.

As far as I can tell, the above action seems to propagate to all certificates that I have, not just a single one. I am not sure if this is just a visual bug, but just something to be aware of.

I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess.

Hopefully this helps you and anyone else that finds this thread via searching.

Gertjan

@EChondo

What's your pfSense version ?
The instructions are shown here :

A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate.

@EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy:

I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess.

No need to wait x days.
You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.