HAPROXY + ACME (Standalone)

  • I've currently had HAProxy & Acme working with DNS-Manual for a little over a year, Thanks to PiBa... If I remembered the username correctly...

    But I'm finding the need to redo my DNS text records every 3 months a little cumbersome.
    I've tried a few times to follow several tutorials when the certs expired with no luck...

    Question: DNS-NSUpdate / RFC 2136 vs Standalone which is better?
    Question: DNS-NSUpdate (Info) is provided by my domain host if they have this service available?

    A little about the setup:

    Custom GUI TCP Port
    80 and 443 Rules in place
    Working HAProxy HTTP to HTTPS Redirect

    Added frontend HTTP ACL for acme, path starts with, /.well-known/acme-challenge/ with Action http-request redirect to rule scheme https
    Added frontend HTTPS ACL for acme, path starts with, /.well-known/acme-challenge/ with Action use backend, backend-acme

    Added backend backend-acme forward to port 4002 and no health check.

    Added cert domain.com standalone HTTP server with HTTP listen port set to 4002

    hmmm, just tried creating a cert with one domain and it worked...
    orginal cert(s) had multiple sub domains under each, does this not work with standalone?
    can someone confirm this...

  • @uwscia said in HAPROXY + ACME (Standalone):

    Question: DNS-NSUpdate / RFC 2136 vs Standalone which is better?

    As you said, the latter is :
    @uwscia said in HAPROXY + ACME (Standalone):


    and not advised : see https://www.netgate.com/docs/pfsense/certificates/acme-validation.html#standalone

    @uwscia said in HAPROXY + ACME (Standalone):

    DNS-NSUpdate / RFC 2136

    IMHO : the best ! I real set-it-and-forget-it method.
    As you mentioned : it needs to be supported by "the other side", or to be more precise : the place where your domain name is registered, probably your registrar or, even better : on some (master) DNS server that serves the zone of your domain that you administer yourself - see here for an RFC 2136 example.

    Most 'big' registrar support some procedure that is implemented by the acme package.
    Just cross-check https://github.com/Neilpang/acme.sh/tree/master/dnsapi with what your regisrar offers you.
    If not, no panic : read https://github.com/Neilpang/acme.sh/tree/master/dnsapi - scroll down to see what is possible.
    If none : start thinking about moving your domain name - and/or read https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode