ACME, Let's Encrypt, and HAProxy - Installation Assistance

rowebil

It is time to admit that I need help with ACME, Let's Encrypt, and HAProxy.
Usually I try my hardest to research and do it myself and rarely admit that I need help – doing so just prevents me from learning from others.

So here I am asking for assistance with my set-up.

I have ACME working with their development server and am able to generate certificates properly.

Now I need help with HAProxy.
I have multiple hosts that run HTTPS 443 - Outlook Web App and now PRTG and a webserver I rarely use.

I am so confused about frontend/backend with HAProxy and I need screenshots/video tutorial on how to set it up, OR just an explanation on how it works and then I can go from there.

I do not learn by reading -- but if someone shows me how theirs is set-up, or an example, then I can learn.

I can gladly set-up a GoToMeeting, Skype, Teamviewer, etc.

coreybrett

Just figured this out myself. Still need help?

Perun

I have already working HAproxy with self signed cert…

I want to use ACME module but I dont know what is the best method for me. My DNS provider (joker.com) isnt supported by pfsense and they not support nsupdate... I dont want to use DNS manually method because the renew doesnt work automaticly with it.

What is the best method for me if the pfsense box does SSL offloading with HA proxy on all the domains waht I want to use with ACME?

Greetz

coreybrett

The following is what I did.

System -> Advanced -> Admin Access

Protocol = HTTPS
TCP port = 44300
WebGUI redirect = Disable webConfigurator redirect rule ENABLED (Box should be checked)

Firewall -> Rules -> WAN (CALLED COMCAST ON MY BOX)

Create two rules to allow traffic to port 80 and 443 on the public address

Services -> HAProxy -> Frontends

Configure HAProxy with a Frontend that accepts connections on port 80 and redirects them to https, unless the path starts with "./well-known/acme-challenge" in which case sends them to an "acme" backend. The redirect is optional and will depend on your needs.

Note: You will notice I checked the NOT box on the ACL, however, the NOT (in the form of a !) is actually added to the action in the generated config, so don't get confused by that.

Services -> HAProxy -> Backends

Configure an "acme" backend that has one server using the loopback address and a non-80 port. Also, disable health checks.

Services -> Acme -> Certificates

When configuring your certificate, use the standalone HTTP server option on the non-80 port you choose for the backend.
You may also want to set the Actions list to include restarting HAProxy.

The generated config looks like this.

# Automaticaly generated, dont edit manually.
# Generated on: 2017-06-15 10:52
global
	maxconn			10000
	stats socket /tmp/haproxy.socket level admin
	uid			80
	gid			80
	nbproc			1
	chroot			/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats refresh 10
	stats admin if TRUE
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

resolvers globalresolvers
	nameserver edge 127.0.0.1:53
	resolve_retries 3
	timeout retry 1
	hold valid 10

frontend http-edge
	bind			0.0.0.0:80 name 0.0.0.0:80   
	bind			:::80 name :::80   
	mode			http
	log			global
	option			dontlog-normal
	option			http-keep-alive
	timeout client		30000
	acl			acme	path_beg -i /.well-known/acme-challenge
	http-request redirect scheme https  if  !acme 
	default_backend acme_http_ipvANY

backend acme_http_ipvANY
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			localacmesrv 127.0.0.1:8126  resolvers globalresolvers 

As for DNS…
I do not have a static address and my hosting company (Dreamhost) doesn't support DDNS, so I use the DDNS Custom option built-into pfSense with DuckDNS.org and all my domain names are CNAME records pointing to my DuckDNS domain. This method won't work for root domains, so I will have to figure something else for that. (There is some evidence that the DDNS in pfSense will soon support Dreamhost which will make some of this a little simpler for me.)

BTW FYI, The first time I tried verifying a cert it failed because I forgot to allow my firewall rules to apply to IPv6 as well as IPv4, and my DuckDNS domain had a AAAA as well as a A record.

Perun

it was a really good hint, but I done it in something other way. I has placed the acme rule as the first rule on HAproxy frontend settings and without 'not'.

So if a client asks for $whatever/.well-known/acme-challenge then it goes to the local acme server…
Now it works with all my ACME domains.

VincentEmmanuel

This post is deleted!