HAproxy - the right way
-
Hi Forum
I'm struggling a bit with HAProxy - and are in need of some advices.For my testing setup I have a domain insa.dk
For making the test - I have several subdomains
fubar.insa.dk
qlik.insa.dk
www.insa.dkAltually those works pretty well - BUT when only typing the name insa.dk - it goes in failure - but I though It should default back.
So how can I make insa.dk work through the HAproxy also - so it'll show the same webpage without certificate errorIs this when I creating the Certificate - that I need it to answer for both www.insa.dk and insa.dk - or is it through regex statements and then my question would be how to create these.
I've now been struggling with this little issue for some days nowBut all subdomains to the domain insa.dk are working fine - just missing the last part of the puzzle
THansk in advance -
@Peque said in HAproxy - the right way:
So how can I make insa.dk work through the HAproxy also - so it'll show the same webpage without certificate error
The certificate must be 'valid' for the hostname the browser is visiting. So you need a certificate that is (also) valid for 'insa.dk'. Any redirect or other http layer tricks you might want to try will only happen after the SSL connection has successfully been made&verified. So to avoid a certificate error there is usually only 1 solution.. use a valid cert.. (or create one and add your own CA to every client that needs to use the site.. which makes the cert valid again for those clients..)
-
===group
===first of all thanks for the repy
That was allso my klnowledge regarding these certificates
But what I do not get, is why I can create certificates for XXX.insa.dk but each time I'm trying to issue a cert to insa.dk it'll fail the issuing of the certificate.insa.dk is also a A record - like the other valid domain name - So I Guess the problem is more than recreating a valid certificate
WHen trying to issue certificate for insa.dk - I'm getting this error :challenge_response_put insa, insa.dk FOUND domainitemwebroot put token at: /usr/local/www/.well-known/acme-challenge//0MYNq36gVQ7gr2clr5i6dWeZO1LG3r7mgsyM3_KWjrM [Wed Dec 2 05:45:36 UTC 2020] Found domain http api file: /tmp/acme/insa//httpapi/pfSenseacme.sh [Wed Dec 2 05:45:35 UTC 2020] insa.dk:Verify error:Invalid response from https://insa.dk/.well-known/acme-challenge/0MYNq36gVQ7gr2clr5i6dWeZO1LG3r7mgsyM3_KWjrM [31.3.72.101]: 503 [Wed Dec 2 05:45:36 UTC 2020] Please check log file for more details: /tmp/acme/insa/acme_issuecert.log
Looking through the logfile on the on the PFsense -I'm getting this logs
[Wed Dec 2 05:45:37 UTC 2020] _postContentType='application/jose+json' [Wed Dec 2 05:45:37 UTC 2020] Http already initialized. [Wed Dec 2 05:45:37 UTC 2020] _CURL='curl -L --silent --dump-header /tmp/acme/i nsa//http.header -g ' [Wed Dec 2 05:45:38 UTC 2020] _ret='0' [Wed Dec 2 05:45:38 UTC 2020] responseHeaders='HTTP/2 400 server: nginx date: Wed, 02 Dec 2020 05:45:38 GMT content-type: application/problem+json content-length: 144 boulder-requester: 104570941 cache-control: public, max-age=0, no-cache link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" replay-nonce: 0004HRtYyc8tihJvXkURMnIPlzXK3onSs4r27mjxBPZQ0Zc ' [Wed Dec 2 05:45:38 UTC 2020] code='400' [Wed Dec 2 05:45:38 UTC 2020] original='{ "type": "urn:ietf:params:acme:error:malformed", "detail": "Unable to update challenge :: authorization must be pending", "status": 400 }' [Wed Dec 2 05:45:38 UTC 2020] response='{ "type": "urn:ietf:params:acme:error:malformed", "detail": "Unable to update challenge :: authorization must be pending", "status": 400 }'
And that is the only error - But do not get it while other domains are smmoth issuing the certificate .- at the provider they are shown as
fubar.insa.dk 31.3.72.101 600
insa.dk 31.3.72.101 600
localhost.insa.dk 127.0.0.1 43200
pfsense.insa.dk 31.3.72.101 600
qlik.insa.dk 31.3.72.101 600
www.insa.dk 31.3.72.101 600only 2 of those names will not issuing the certificate - thats www.insa.dk and insa.dk and cannot get why they wont issue certificate
-
@Peque said in HAproxy - the right way:
[Wed Dec 2 05:45:35 UTC 2020] insa.dk:Verify error:Invalid response from https://insa.dk/.well-known/acme-challenge/0MYNq36gVQ7gr2clr5i6dWeZO1LG3r7mgsyM3_KWjrM [31.3.72.101]: 503
When i try to visit your website: 'https://insa.dk/' i to get a 503 error shown in my browser. Same as the error above.. Despite the 'wrong' certificate and clicking through the warnings that should not happen imho.. How is haproxy.cfg configured? Perhaps youve enabled the automated SNI acl's for the frontend/certificate, which might interfere (disable those checkboxes?)?
-
@PiBa - the problem is that I cannot get the vertification for this domain insa.dk
No issues with fubar.insa.dk or qlik.insa.dk - but cannot issue the certificate for insa.dk/www.insa.dk so I cannot make a backend or any rules without that certificate for the domains.At this moment there's no configuration for insa.dk since I need the certificate for creating this Backend - that will answer for this.
If you tjek fubar.insa.dk - no issue with that site ( THis is a little testsetup for making the HAProxy testet)
But in our Live enviorment ( HAproixy is not implemented there) I have 3 domains - that should answer with and without the www. in front.If I can get a certificate for the insa.dk and the www.insa.dk --> I think I can manage to configure this - biut I cannot figure out WHY I cannot issue those certificates
-
@Peque
Well when i request http://insa.dk it redirects to https://insa.dk . This also happens for the letsencrypt servers that try to validate the http-01 acme-challenge. So you must make sure that the url that those servers try to visit produces the correct challenge file response. To make that happen you should make it so that the request to "http://insa.dk/.well-known/acme-challenge/0MYNq36gVQ7gr2clr5i6dWeZO1LG3r7mgsyM3_KWjrM" is either NOT redirected to https but served by the acme-client, or that the https one is handled in such a way that even with a wrong certificate it does produce the correct response. That should be possible even while using a 'wrong' temporary certificate.. The 503 i can see is a 'http' response, so why not check the hostname and path requested and forward that to the acme client webserver? -
@piba
So basicly - I should delete my Frontend - UNTILL all certificates are issued
But I do not get that point -. since I have created pfsense.insa.dk ( Whit the backend running - and also created the fubar.insa.dk ) - this certificatge issue does not have a problem
But when issuing only for insa.dk gives the problem - jut like www.insa.dk doesSince we like to use PFsense as the Frontend ( Certificate holder etc) is since our normal website is running on RubyonRails in a old version - and cannot be upgraded unless we rewrite the entire website - so for protecting the website the best way for now - is getting the PFsense to act as HAproxy
But I do not get why insa.dk/www.insa.dk have an error 503 but fubar.insa.dk are issued really smooth and as expected! My Guess is that If I can get the right certificate for www.ins.dk and insa.dk I do not have an issue - but its the getting the certificate that seems to be my mail issue
-
@Piba
So the actually solution was stopping HAproxy - issuing the missing certificates - and the create the frontends - and start the HAproxy againSo the prxy answering for both insa.dk and www.insa.dk
Thanks for the replys and solutions