HAproxy for Letencrypt?

  • Hi,
    I was wondering if someone else has had this issue before. Currently have working few subdomains working well behind the HAproxy use TLS extension matches to go direct to the VM that manages the SSL.The issue is that when i try to renew the Cert though the Certbot it tries to renew though port 80. the issue is that i have a redirect rule on HAproxy to send all http to https. Has anyone else figured a way to create a shared frontend to let the .well-known challenge to go though the vm?

    Thank you

  • Yes

    The trick I use is to combine ACL:s
    I have one for my host Ie webserver that is a host-contains ACL and another one that is a path-contains rule for .well-known/acme-challenge

    In the actions section I have a use backend rule that applies if both the webserver and well-known ACL:s matches. That backend sends the traffic to port 80

    after that I have a use backend that applies if only the webserver ACL matches and that backend does 443 redirect

    Since HA proxy uses the first match anything that tries for well-known .... on the webserver will get port 80 and anything else will land on 443

  • Thanks for the reply , could you share some screen shots? I have been struggling for a while, i cannot get the lets encrypt to renew
    So all of those have subdomain working with let encrypt each of them a VM. The issue is that the renew process seems that needs to have contact to port 80

    This is what i have

    2_1541724266762_Clipboarder.2018.11.08-005.png 1_1541724266762_Clipboarder.2018.11.08-004.png 0_1541724266762_Clipboarder.2018.11.08-003.png

  • Sure. I can do a few demo screenshots at least

    The challenge is that the renew process do require port 80 so we have to allow traffic to port 80 if the path contains .well-known/acme-challenge. If it doesn't contain that path the traffic should be redirected to port 443.

    In this example I'm using www.example.com as my webserver

    We need two ACL:s

    The first one catches the path and the second one catches the hostname.

    Under Rules
    The trick here is to use both ACL:s in the same rule so that only traffic that matches both gets forwarded to port 80 before the second rule redirects the traffic to 443 .

    The final step is to create a backend (WWW) to forward the traffic to the right webserver

  • @mats said in HAproxy for Letencrypt?:


    Thanks for the reply, so i created another rule underneath of the sharedhost on port 80 see picture. The issue is that its saying theres an error any ideas?

    Thank you

    2_1541968926256_Clipboarder.2018.11.11-003.png 1_1541968926256_Clipboarder.2018.11.11-002.png 0_1541968926256_Clipboarder.2018.11.11.png

  • Nope, I have never seen that error message before but it seems to be related to the backend.
    Can you post a picture of how your backend is configured