ACME, Let's Encrypt, and HAProxy - Installation Assistance
rowebil last edited by
It is time to admit that I need help with ACME, Let's Encrypt, and HAProxy.
Usually I try my hardest to research and do it myself and rarely admit that I need help – doing so just prevents me from learning from others.
So here I am asking for assistance with my set-up.
I have ACME working with their development server and am able to generate certificates properly.
Now I need help with HAProxy.
I have multiple hosts that run HTTPS 443 - Outlook Web App and now PRTG and a webserver I rarely use.
I am so confused about frontend/backend with HAProxy and I need screenshots/video tutorial on how to set it up, OR just an explanation on how it works and then I can go from there.
I do not learn by reading -- but if someone shows me how theirs is set-up, or an example, then I can learn.
I can gladly set-up a GoToMeeting, Skype, Teamviewer, etc.
coreybrett last edited by
Just figured this out myself. Still need help?
Perun last edited by
I have already working HAproxy with self signed cert…
I want to use ACME module but I dont know what is the best method for me. My DNS provider (joker.com) isnt supported by pfsense and they not support nsupdate... I dont want to use DNS manually method because the renew doesnt work automaticly with it.
What is the best method for me if the pfsense box does SSL offloading with HA proxy on all the domains waht I want to use with ACME?
coreybrett last edited by
The following is what I did.
System -> Advanced -> Admin Access
Protocol = HTTPS
TCP port = 44300
WebGUI redirect = Disable webConfigurator redirect rule ENABLED (Box should be checked)
Firewall -> Rules -> WAN (CALLED COMCAST ON MY BOX)
Create two rules to allow traffic to port 80 and 443 on the public address
Services -> HAProxy -> Frontends
Configure HAProxy with a Frontend that accepts connections on port 80 and redirects them to https, unless the path starts with "./well-known/acme-challenge" in which case sends them to an "acme" backend. The redirect is optional and will depend on your needs.
Note: You will notice I checked the NOT box on the ACL, however, the NOT (in the form of a !) is actually added to the action in the generated config, so don't get confused by that.
Services -> HAProxy -> Backends
Configure an "acme" backend that has one server using the loopback address and a non-80 port. Also, disable health checks.
Services -> Acme -> Certificates
When configuring your certificate, use the standalone HTTP server option on the non-80 port you choose for the backend.
You may also want to set the Actions list to include restarting HAProxy.
The generated config looks like this.
# Automaticaly generated, dont edit manually. # Generated on: 2017-06-15 10:52 global maxconn 10000 stats socket /tmp/haproxy.socket level admin uid 80 gid 80 nbproc 1 chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 server-state-file /tmp/haproxy_server_state listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats refresh 10 stats admin if TRUE stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 resolvers globalresolvers nameserver edge 127.0.0.1:53 resolve_retries 3 timeout retry 1 hold valid 10 frontend http-edge bind 0.0.0.0:80 name 0.0.0.0:80 bind :::80 name :::80 mode http log global option dontlog-normal option http-keep-alive timeout client 30000 acl acme path_beg -i /.well-known/acme-challenge http-request redirect scheme https if !acme default_backend acme_http_ipvANY backend acme_http_ipvANY mode http log global timeout connect 30000 timeout server 30000 retries 3 server localacmesrv 127.0.0.1:8126 resolvers globalresolvers
As for DNS…
I do not have a static address and my hosting company (Dreamhost) doesn't support DDNS, so I use the DDNS Custom option built-into pfSense with DuckDNS.org and all my domain names are CNAME records pointing to my DuckDNS domain. This method won't work for root domains, so I will have to figure something else for that. (There is some evidence that the DDNS in pfSense will soon support Dreamhost which will make some of this a little simpler for me.)
BTW FYI, The first time I tried verifying a cert it failed because I forgot to allow my firewall rules to apply to IPv6 as well as IPv4, and my DuckDNS domain had a AAAA as well as a A record.
Perun last edited by
it was a really good hint, but I done it in something other way. I has placed the acme rule as the first rule on HAproxy frontend settings and without 'not'.
So if a client asks for $whatever/.well-known/acme-challenge then it goes to the local acme server…
Now it works with all my ACME domains.
VincentEmmanuel last edited by
This post is deleted!