Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    HAPROXY + ACME (Standalone)

    ACME
    2
    2
    423
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      uwscia last edited by

      I've currently had HAProxy & Acme working with DNS-Manual for a little over a year, Thanks to PiBa... If I remembered the username correctly...

      But I'm finding the need to redo my DNS text records every 3 months a little cumbersome.
      I've tried a few times to follow several tutorials when the certs expired with no luck...

      Question: DNS-NSUpdate / RFC 2136 vs Standalone which is better?
      Question: DNS-NSUpdate (Info) is provided by my domain host if they have this service available?

      A little about the setup:

      Custom GUI TCP Port
      80 and 443 Rules in place
      Working HAProxy HTTP to HTTPS Redirect

      HAproxy
      Added frontend HTTP ACL for acme, path starts with, /.well-known/acme-challenge/ with Action http-request redirect to rule scheme https
      Added frontend HTTPS ACL for acme, path starts with, /.well-known/acme-challenge/ with Action use backend, backend-acme

      Added backend backend-acme forward to 127.0.0.1 port 4002 and no health check.

      Acme
      Added cert domain.com standalone HTTP server with HTTP listen port set to 4002

      hmmm, just tried creating a cert with one domain and it worked...
      orginal cert(s) had multiple sub domains under each, does this not work with standalone?
      can someone confirm this...

      Gertjan 1 Reply Last reply Reply Quote 0
      • Gertjan
        Gertjan @uwscia last edited by Gertjan

        @uwscia said in HAPROXY + ACME (Standalone):

        Question: DNS-NSUpdate / RFC 2136 vs Standalone which is better?

        As you said, the latter is :
        @uwscia said in HAPROXY + ACME (Standalone):

        cumbersome

        and not advised : see https://www.netgate.com/docs/pfsense/certificates/acme-validation.html#standalone

        @uwscia said in HAPROXY + ACME (Standalone):

        DNS-NSUpdate / RFC 2136

        IMHO : the best ! I real set-it-and-forget-it method.
        As you mentioned : it needs to be supported by "the other side", or to be more precise : the place where your domain name is registered, probably your registrar or, even better : on some (master) DNS server that serves the zone of your domain that you administer yourself - see here for an RFC 2136 example.

        Most 'big' registrar support some procedure that is implemented by the acme package.
        Just cross-check https://github.com/Neilpang/acme.sh/tree/master/dnsapi with what your regisrar offers you.
        If not, no panic : read https://github.com/Neilpang/acme.sh/tree/master/dnsapi - scroll down to see what is possible.
        If none : start thinking about moving your domain name - and/or read https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode

        No "help me" PM's please. Use the forum.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post