ACME, Let's Encrypt, and HAProxy - Installation Assistance

  • It is time to admit that I need help with ACME, Let's Encrypt, and HAProxy.
    Usually I try my hardest to research and do it myself and rarely admit that I need help – doing so just prevents me from learning from others.

    So here I am asking for assistance with my set-up.

    I have ACME working with their development server and am able to generate certificates properly.

    Now I need help with HAProxy.
    I have multiple hosts that run HTTPS 443 - Outlook Web App and now PRTG and a webserver I rarely use.

    I am so confused about frontend/backend with HAProxy and I need screenshots/video tutorial on how to set it up, OR just an explanation on how it works and then I can go from there.

    I do not learn by reading -- but if someone shows me how theirs is set-up, or an example, then I can learn.

    I can gladly set-up a GoToMeeting, Skype, Teamviewer, etc.

  • Just figured this out myself. Still need help?

  • I have already working HAproxy with self signed cert…

    I want to use ACME module but I dont know what is the best method for me. My DNS provider ( isnt supported by pfsense and they not support nsupdate... I dont want to use DNS manually method because the renew doesnt work automaticly with it.

    What is the best method for me if the pfsense box does SSL offloading with HA proxy on all the domains waht I want to use with ACME?


  • The following is what I did.

    System -> Advanced -> Admin Access

    Protocol = HTTPS
    TCP port = 44300
    WebGUI redirect = Disable webConfigurator redirect rule ENABLED (Box should be checked)

    Firewall -> Rules -> WAN (CALLED COMCAST ON MY BOX)

    Create two rules to allow traffic to port 80 and 443 on the public address

    Services -> HAProxy -> Frontends

    Configure HAProxy with a Frontend that accepts connections on port 80 and redirects them to https, unless the path starts with "./well-known/acme-challenge" in which case sends them to an "acme" backend. The redirect is optional and will depend on your needs.

    Note: You will notice I checked the NOT box on the ACL, however, the NOT (in the form of a !) is actually added to the action in the generated config, so don't get confused by that.

    Services -> HAProxy -> Backends

    Configure an "acme" backend that has one server using the loopback address and a non-80 port. Also, disable health checks.

    Services -> Acme -> Certificates

    When configuring your certificate, use the standalone HTTP server option on the non-80 port you choose for the backend.
    You may also want to set the Actions list to include restarting HAProxy.

    The generated config looks like this.

    # Automaticaly generated, dont edit manually.
    # Generated on: 2017-06-15 10:52
    	maxconn			10000
    	stats socket /tmp/haproxy.socket level admin
    	uid			80
    	gid			80
    	nbproc			1
    	chroot			/tmp/haproxy_chroot
    	tune.ssl.default-dh-param	2048
    	server-state-file /tmp/haproxy_server_state
    listen HAProxyLocalStats
    	bind name localstats
    	mode http
    	stats enable
    	stats refresh 10
    	stats admin if TRUE
    	stats uri /haproxy/haproxy_stats.php?haproxystats=1
    	timeout client 5000
    	timeout connect 5000
    	timeout server 5000
    resolvers globalresolvers
    	nameserver edge
    	resolve_retries 3
    	timeout retry 1
    	hold valid 10
    frontend http-edge
    	bind name   
    	bind			:::80 name :::80   
    	mode			http
    	log			global
    	option			dontlog-normal
    	option			http-keep-alive
    	timeout client		30000
    	acl			acme	path_beg -i /.well-known/acme-challenge
    	http-request redirect scheme https  if  !acme 
    	default_backend acme_http_ipvANY
    backend acme_http_ipvANY
    	mode			http
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			localacmesrv  resolvers globalresolvers 

    As for DNS…
    I do not have a static address and my hosting company (Dreamhost) doesn't support DDNS, so I use the DDNS Custom option built-into pfSense with and all my domain names are CNAME records pointing to my DuckDNS domain. This method won't work for root domains, so I will have to figure something else for that. (There is some evidence that the DDNS in pfSense will soon support Dreamhost which will make some of this a little simpler for me.)

    BTW FYI, The first time I tried verifying a cert it failed because I forgot to allow my firewall rules to apply to IPv6 as well as IPv4, and my DuckDNS domain had a AAAA as well as a A record.

  • it was a really good hint, but I done it in something other way. I has placed the acme rule as the first rule on HAproxy frontend settings and without 'not'.

    So if a client asks for $whatever/.well-known/acme-challenge then it goes to the local acme server…
    Now it works with all my ACME domains.

  • This post is deleted!

Log in to reply