HAProxy And ACME standalone

yuljk

Hi - I've decided to setup HAProxy for use with ACME as my Dynamic DNS provider does not allow the creation of _acme-challenge subdomains for manual validation or nsupdate.

I already have a basic setup for HAproxy for two http web servers.  I have a single shared frontend for http, and then two frontends pointing to two backends.  This all works fine - however I'd like to use the standalone verification method in ACME (not overly fussed about automating it at this stage)

What would I add to HAProxy to do this?

Many thanks

Mats

take a look at https://forum.pfsense.org/index.php?topic=130598.0 and https://forum.pfsense.org/index.php?topic=129376.msg714035#msg714035

the later one describes how I got it to work

yuljk

Thanks Mats - I'll take a look.

yuljk

OK - So I took a look at the links and I still can't get it working.

I have two rules created in my firewall, one for port 80 the other for 443.

I have disabled the webConfigurator redirect rule.

System -> Advanced -> Admin Access

Protocol = HTTPS
TCP port = 44300
WebGUI redirect = Disable webConfigurator redirect rule ENABLED

My current setup is the following.

I have a shared frontend setup called 'SharedFrontend' - all I have configured for this is 4 listen addresses, WAN IPv6, WAN IPv4 - for port 80 and 443 respectively.

I then created a new frontend called 'ACME' with shared front end ticked and primary frontend pointed to 'SharedFrontend'
Under ACL I have

ACME	Path starts with:	yes	/.well-known/acme-challenge

Under actions I'm pointing to my new backend, which I've configured like so:-

active	localacmeserv	Address+Port:	127.0.0.1	8126	no

Finally under ACME I have configured the certs to use Standalone HTTP Server and port 8126.

The logs from ACME show the following

[Thu Jul  6 03:16:26 BST 2017] errordetail='Invalid response from http://mail.mydomain.co.uk/.well-known/acme-challenge/3-_G89BXrUAk27PmlPXWQerXKe_wonzuNFcXemxQBL0 [86.16.238.175]: 503'
[Thu Jul  6 03:16:26 BST 2017] mail.mydomain.co.uk:Verify error:Invalid response from http://mail.mydomain.co.uk/.well-known/acme-challenge/3-_G89BXrUAk27PmlPXWQerXKe_wonzuNFcXemxQBL0 [86.16.238.175]: 503
[Thu Jul  6 03:16:26 BST 2017] h_api
[Thu Jul  6 03:16:26 BST 2017] Skip for removelevel:
[Thu Jul  6 03:16:26 BST 2017] pid='75347'
[Thu Jul  6 03:16:26 BST 2017] Le_HTTPPort='80'
[Thu Jul  6 03:16:26 BST 2017] GET
[Thu Jul  6 03:16:26 BST 2017] url='http://localhost:80'
[Thu Jul  6 03:16:26 BST 2017] timeout='1'
[Thu Jul  6 03:16:26 BST 2017] curl exists=0
[Thu Jul  6 03:16:26 BST 2017] wget exists=127
[Thu Jul  6 03:16:26 BST 2017] _CURL='curl -L –silent --dump-header /tmp/acme/mail.mydomain.co.uk//http.header  --connect-timeout 1'
[Thu Jul  6 03:16:26 BST 2017] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Thu Jul  6 03:16:26 BST 2017] ret='60'
[Thu Jul  6 03:16:26 BST 2017] Le_TLSPort
[Thu Jul  6 03:16:26 BST 2017] No need to restore nginx, skip.
[Thu Jul  6 03:16:26 BST 2017] _clearupdns
[Thu Jul  6 03:16:27 BST 2017] Dns not added, skip.
[Thu Jul  6 03:16:27 BST 2017] _on_issue_err
[Thu Jul  6 03:16:27 BST 2017] Please check log file for more details: /tmp/acme/mail.mydomain.co.uk/acme_issuecert.log
[Thu Jul  6 03:16:27 BST 2017] _chk_vlist='mail.mydomain.co.uk#3-

Weirdly it shows the URL as http:// when it should be https://

I'm yet to configure HAVProxy for my various servers on port 443 - I'll have to figure that out after I've got this working..

Any help greatly appreciated with this - happy to do a TeamViewer session or whatever as there is a boatload of screens to screendump

Mats

I'm not 100% sure but can you try change your backend config from pointing at 127.0.0.1 to the ip of your lan interface. I got mine pointed at my lan address.

yuljk

Changed the backend IP from the loopback address to the LAN IP of the FW

[Thu Jul 6 19:24:56 BST 2017] Pending
OPTIONS / HTTP/1.0
X-Forwarded-Proto: http
X-Forwarded-For: 192.168.50.10

[Thu Jul 6 19:24:58 BST 2017] storefront.apollon-domain.co.uk:Verify error:Fetching http://storefront.apollon-domain.co.uk/.well-known/acme-challenge/VdHX3VX3dV7p_hKtmK8m0UZga4hn5aWLSCNHj2MQfIQ: Timeout
[Thu Jul 6 19:24:59 BST 2017] Please check log file for more details: /tmp/acme/storefront.apollon-domain.co.uk/acme_issuecert.log

Still not working :(

yuljk

For reference I am using the same setup as corey https://forum.pfsense.org/index.php?topic=130598.0 but am not using a https redirect

Mats

it was worth testing, sorry it didn't help.
If I understand you correctly you got HA proxy working for port 80 for your two websites. That would prove that http traffic gets to the HA proxy.

The next thing I would look at if it's the right rule that is being used. Do you have any acl:s on the primary frontend that might cause ha proxy to try to use that instead of your secondary listner?

yuljk

Hi Mats - I've managed to get a bit further.  I decided to start from fresh.

I created 3 backends like so:-

ACME

active	localacmeserv	Address+Port:	192.168.50.10	8126	no

WebServers

active	THEMIS	Address+Port:	192.168.50.189	80	no	

WebServers2

active	GLAUCUS	Address+Port:	192.168.50.185	80	no	

I created 4 Frontends :-

HTTP-Edge

Any (IPv4) 80
Any (IPv6) 80
Any (IPv4) 443
Any (IPv6) 443

Use "forwardfor" option - Ticked (Wasn't sure if this is needed or not)

WebServers

Shared Frontend option - ticked
Primary frontend - HTTP-Edge

ACL1	Host matches:	no	www.mywebsite.co.uk

Actions

Use Backend	See below	ACL1

Use backend WebServers

I then cloned this frontend an setup an ACL for my second website to the Webservers2 backend.  This all seems to work.

I created a final frontend for ACME like so:-

ACMEFrontend

Shared front end - ticked
Front end - HTTP-Edge

acme	Path starts with:	yes	/.well-known/acme-challenge

Use Backend	See below	acme

Backend points to ACME backend.

Attempt to renew Exchange 2013 SAN certificate which has

enabled	mail.mydomain.co.uk	standalone HTTP server

Port 8126

Enabled	autodiscover.mydomain.co.uk	standalone HTTP server

Port 8126

[Fri Jul 7 00:20:11 BST 2017] Standalone mode.
[Fri Jul 7 00:20:12 BST 2017] Standalone mode.
[Fri Jul 7 00:20:12 BST 2017] Multi domain='DNS:autodiscover.mydomain.co.uk'
[Fri Jul 7 00:20:12 BST 2017] Getting domain auth token for each domain
[Fri Jul 7 00:20:12 BST 2017] Getting webroot for domain='mail.mydomain.co.uk'
[Fri Jul 7 00:20:12 BST 2017] Getting new-authz for domain='mail.mydomain.co.uk'
[Fri Jul 7 00:20:28 BST 2017] The new-authz request is ok.
[Fri Jul 7 00:20:28 BST 2017] Getting webroot for domain='autodiscover.mydomain.co.uk'
[Fri Jul 7 00:20:28 BST 2017] Getting new-authz for domain='autodiscover.mydomain.co.uk'
[Fri Jul 7 00:20:30 BST 2017] The new-authz request is ok.
[Fri Jul 7 00:20:30 BST 2017] mail.mydomain.co.uk is already verified, skip http-01.
[Fri Jul 7 00:20:30 BST 2017] Verifying:autodiscover.mydomain.co.uk
[Fri Jul 7 00:20:30 BST 2017] Standalone mode server
[Fri Jul 7 00:20:36 BST 2017] autodiscover.mydomain.co.uk:Verify error:Invalid response from http://autodiscover.mydomain.co.uk/.well-known/acme-challenge/-G-QfC3FZa66VzIHB2rvanHig3CqBxJPONFSdO0QxLs

The Exchange 2013 server is running behind the firewall.

Any ideas? - This is hurting my brain!