HAProxy And ACME standalone



  • Hi - I've decided to setup HAProxy for use with ACME as my Dynamic DNS provider does not allow the creation of _acme-challenge subdomains for manual validation or nsupdate.

    I already have a basic setup for HAproxy for two http web servers.  I have a single shared frontend for http, and then two frontends pointing to two backends.  This all works fine - however I'd like to use the standalone verification method in ACME (not overly fussed about automating it at this stage)

    What would I add to HAProxy to do this?

    Many thanks





  • Thanks Mats - I'll take a look.



  • OK - So I took a look at the links and I still can't get it working.

    I have two rules created in my firewall, one for port 80 the other for 443.

    I have disabled the webConfigurator redirect rule.

    System -> Advanced -> Admin Access

    Protocol = HTTPS
    TCP port = 44300
    WebGUI redirect = Disable webConfigurator redirect rule ENABLED

    My current setup is the following.

    I have a shared frontend setup called 'SharedFrontend' - all I have configured for this is 4 listen addresses, WAN IPv6, WAN IPv4 - for port 80 and 443 respectively.

    I then created a new frontend called 'ACME' with shared front end ticked and primary frontend pointed to 'SharedFrontend'
    Under ACL I have

    ACME	Path starts with:	yes	/.well-known/acme-challenge
    

    Under actions I'm pointing to my new backend, which I've configured like so:-

    active	localacmeserv	Address+Port:	127.0.0.1	8126	no
    

    Finally under ACME I have configured the certs to use Standalone HTTP Server and port 8126.

    The logs from ACME show the following

    [Thu Jul  6 03:16:26 BST 2017] errordetail='Invalid response from http://mail.mydomain.co.uk/.well-known/acme-challenge/3-_G89BXrUAk27PmlPXWQerXKe_wonzuNFcXemxQBL0 [86.16.238.175]: 503'
    [Thu Jul  6 03:16:26 BST 2017] mail.mydomain.co.uk:Verify error:Invalid response from http://mail.mydomain.co.uk/.well-known/acme-challenge/3-_G89BXrUAk27PmlPXWQerXKe_wonzuNFcXemxQBL0 [86.16.238.175]: 503
    [Thu Jul  6 03:16:26 BST 2017] h_api
    [Thu Jul  6 03:16:26 BST 2017] Skip for removelevel:
    [Thu Jul  6 03:16:26 BST 2017] pid='75347'
    [Thu Jul  6 03:16:26 BST 2017] Le_HTTPPort='80'
    [Thu Jul  6 03:16:26 BST 2017] GET
    [Thu Jul  6 03:16:26 BST 2017] url='http://localhost:80'
    [Thu Jul  6 03:16:26 BST 2017] timeout='1'
    [Thu Jul  6 03:16:26 BST 2017] curl exists=0
    [Thu Jul  6 03:16:26 BST 2017] wget exists=127
    [Thu Jul  6 03:16:26 BST 2017] _CURL='curl -L –silent --dump-header /tmp/acme/mail.mydomain.co.uk//http.header  --connect-timeout 1'
    [Thu Jul  6 03:16:26 BST 2017] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
    [Thu Jul  6 03:16:26 BST 2017] ret='60'
    [Thu Jul  6 03:16:26 BST 2017] Le_TLSPort
    [Thu Jul  6 03:16:26 BST 2017] No need to restore nginx, skip.
    [Thu Jul  6 03:16:26 BST 2017] _clearupdns
    [Thu Jul  6 03:16:27 BST 2017] Dns not added, skip.
    [Thu Jul  6 03:16:27 BST 2017] _on_issue_err
    [Thu Jul  6 03:16:27 BST 2017] Please check log file for more details: /tmp/acme/mail.mydomain.co.uk/acme_issuecert.log
    [Thu Jul  6 03:16:27 BST 2017] _chk_vlist='mail.mydomain.co.uk#3-

    Weirdly it shows the URL as http:// when it should be https://

    I'm yet to configure HAVProxy for my various servers on port 443 - I'll have to figure that out after I've got this working..

    Any help greatly appreciated with this - happy to do a TeamViewer session or whatever as there is a boatload of screens to screendump



  • I'm not 100% sure but can you try change your backend config from pointing at 127.0.0.1 to the ip of your lan interface. I got mine pointed at my lan address.



  • Changed the backend IP from the loopback address to the LAN IP of the FW

    [Thu Jul 6 19:24:56 BST 2017] Pending
    OPTIONS / HTTP/1.0
    X-Forwarded-Proto: http
    X-Forwarded-For: 192.168.50.10

    [Thu Jul 6 19:24:58 BST 2017] storefront.apollon-domain.co.uk:Verify error:Fetching http://storefront.apollon-domain.co.uk/.well-known/acme-challenge/VdHX3VX3dV7p_hKtmK8m0UZga4hn5aWLSCNHj2MQfIQ: Timeout
    [Thu Jul 6 19:24:59 BST 2017] Please check log file for more details: /tmp/acme/storefront.apollon-domain.co.uk/acme_issuecert.log

    Still not working :(



  • For reference I am using the same setup as corey https://forum.pfsense.org/index.php?topic=130598.0 but am not using a https redirect



  • it was worth testing, sorry it didn't help.
    If I understand you correctly you got HA proxy working for port 80 for your two websites. That would prove that http traffic gets to the HA proxy.

    The next thing I would look at if it's the right rule that is being used. Do you have any acl:s on the primary frontend that might cause ha proxy to try to use that instead of your secondary listner?



  • Hi Mats - I've managed to get a bit further.  I decided to start from fresh.

    I created 3 backends like so:-

    ACME

    active	localacmeserv	Address+Port:	192.168.50.10	8126	no
    

    WebServers

    active	THEMIS	Address+Port:	192.168.50.189	80	no	
    

    WebServers2

    active	GLAUCUS	Address+Port:	192.168.50.185	80	no	
    

    I created 4 Frontends :-

    HTTP-Edge

    Any (IPv4) 80
    Any (IPv6) 80
    Any (IPv4) 443
    Any (IPv6) 443

    Use "forwardfor" option - Ticked (Wasn't sure if this is needed or not)

    WebServers

    Shared Frontend option - ticked
    Primary frontend - HTTP-Edge

    ACL1	Host matches:	no	www.mywebsite.co.uk
    

    Actions

    Use Backend	See below	ACL1
    

    Use backend WebServers

    I then cloned this frontend an setup an ACL for my second website to the Webservers2 backend.  This all seems to work.

    I created a final frontend for ACME like so:-

    ACMEFrontend

    Shared front end - ticked
    Front end - HTTP-Edge

    acme	Path starts with:	yes	/.well-known/acme-challenge
    
    Use Backend	See below	acme
    

    Backend points to ACME backend.

    Attempt to renew Exchange 2013 SAN certificate which has

    enabled	mail.mydomain.co.uk	standalone HTTP server
    

    Port 8126

    Enabled	autodiscover.mydomain.co.uk	standalone HTTP server
    

    Port 8126

    [Fri Jul 7 00:20:11 BST 2017] Standalone mode.
    [Fri Jul 7 00:20:12 BST 2017] Standalone mode.
    [Fri Jul 7 00:20:12 BST 2017] Multi domain='DNS:autodiscover.mydomain.co.uk'
    [Fri Jul 7 00:20:12 BST 2017] Getting domain auth token for each domain
    [Fri Jul 7 00:20:12 BST 2017] Getting webroot for domain='mail.mydomain.co.uk'
    [Fri Jul 7 00:20:12 BST 2017] Getting new-authz for domain='mail.mydomain.co.uk'
    [Fri Jul 7 00:20:28 BST 2017] The new-authz request is ok.
    [Fri Jul 7 00:20:28 BST 2017] Getting webroot for domain='autodiscover.mydomain.co.uk'
    [Fri Jul 7 00:20:28 BST 2017] Getting new-authz for domain='autodiscover.mydomain.co.uk'
    [Fri Jul 7 00:20:30 BST 2017] The new-authz request is ok.
    [Fri Jul 7 00:20:30 BST 2017] mail.mydomain.co.uk is already verified, skip http-01.
    [Fri Jul 7 00:20:30 BST 2017] Verifying:autodiscover.mydomain.co.uk
    [Fri Jul 7 00:20:30 BST 2017] Standalone mode server
    [Fri Jul 7 00:20:36 BST 2017] autodiscover.mydomain.co.uk:Verify error:Invalid response from http://autodiscover.mydomain.co.uk/.well-known/acme-challenge/-G-QfC3FZa66VzIHB2rvanHig3CqBxJPONFSdO0QxLs

    The Exchange 2013 server is running behind the firewall.

    Any ideas? - This is hurting my brain!