HAproxy for Letencrypt?
-
Hi,
I was wondering if someone else has had this issue before. Currently have working few subdomains working well behind the HAproxy use TLS extension matches to go direct to the VM that manages the SSL.The issue is that when i try to renew the Cert though the Certbot it tries to renew though port 80. the issue is that i have a redirect rule on HAproxy to send all http to https. Has anyone else figured a way to create a shared frontend to let the .well-known challenge to go though the vm?Thank you
-
Yes
The trick I use is to combine ACL:s
I have one for my host Ie webserver that is a host-contains ACL and another one that is a path-contains rule for .well-known/acme-challengeIn the actions section I have a use backend rule that applies if both the webserver and well-known ACL:s matches. That backend sends the traffic to port 80
after that I have a use backend that applies if only the webserver ACL matches and that backend does 443 redirect
Since HA proxy uses the first match anything that tries for well-known .... on the webserver will get port 80 and anything else will land on 443
-
Thanks for the reply , could you share some screen shots? I have been struggling for a while, i cannot get the lets encrypt to renew
So all of those have subdomain working with let encrypt each of them a VM. The issue is that the renew process seems that needs to have contact to port 80This is what i have
-
Sure. I can do a few demo screenshots at least
The challenge is that the renew process do require port 80 so we have to allow traffic to port 80 if the path contains .well-known/acme-challenge. If it doesn't contain that path the traffic should be redirected to port 443.
In this example I'm using www.example.com as my webserver
We need two ACL:s
The first one catches the path and the second one catches the hostname.
Under Rules
The trick here is to use both ACL:s in the same rule so that only traffic that matches both gets forwarded to port 80 before the second rule redirects the traffic to 443 .The final step is to create a backend (WWW) to forward the traffic to the right webserver
-
@mats said in HAproxy for Letencrypt?:
.well-known/acme-challenge
Thanks for the reply, so i created another rule underneath of the sharedhost on port 80 see picture. The issue is that its saying theres an error any ideas?
Thank you
-
Nope, I have never seen that error message before but it seems to be related to the backend.
Can you post a picture of how your backend is configured