Let Letsencrypt through HAProxy to Synology
-
I am using HAProxy and ACME to install a Letsencrypt cert on my pfSense. It is working well using the front/backend.
I am now trying allow my Synology NAS through on port 80 as well so it can get and update its Letsencrypt cert.
I changed the frontend to allow a hostname starts with mynasname and for the backend I had it forward to port 80 on the IP my nas sits on. To test this I put the forward port to 5000 and was greeted by the Synology interface so would assume that HAProxy is working. setting it back to port 80 and trying to get a certificate fails 100% of the time.If I just port forward port 80 using a NAT port forward it works okay so there must be something I am doing wrong in HAProxy.
Snip of the start of the backend. Rest of the options are default.
Any help appreciated.
-
@veldthui
disable the health check? (set to none)as the acme webserver is probably not running all the time ? haproxy would mark it down.. and might not come up fast enough for the actual acme validation request..
-
The ACME one is disabled and as I said is working 100%. What I can't get to work is my Synology NAS. The webserver on the Synology is running all the time and the check marks it as okay. It just is doing something that causes Letsencrypt on the Synology to fail getting a certificate.
-
@veldthui
What i understood from your question is that the Synology webserver listens on 5000 ? And that acme will listen on 80 while handling the validation request.? So when acme is not running the healthchecks for 80 would fail? Or did i misunderstand the situation? (ive never used a Synology-nas..)Can you perhaps share the haproxy.conf (from bottom of settings tab).?
-
Take ACME out of this all together. I mentioned it just to say it was working fine through HAProxy.
Synology uses port 5000 for http and 5001 for https for its web gui only. It still listens to port 80 for letsencrypt. And this is proven by port forwarding port 80 to the synology box. Port forward 80 and letsencrypt works on the synology. Use HAProxy and it doesn't.
Here is my config. I have removed my external IP and replaced with Ext IP
# Automaticaly generated, dont edit manually. # Generated on: 2019-04-13 14:43 global maxconn 1000 stats socket /tmp/haproxy.socket level admin uid 80 gid 80 nbproc 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon server-state-file /tmp/haproxy_server_state frontend ACME-JV-NET-NZ-PROD bind Ext IP:80 name Ex IP:80 mode http log global option http-keep-alive option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https timeout client 30000 errorfile 503 /var/etc/haproxy/errorfile_ACME-JV-NET-NZ-PROD_503_MAINTENANCE acl ACME var(txn.txnpath) -m beg -i /.well-known/acme-challenge/ acl JVNAS1 var(txn.txnhost) -m beg -i jvnas1 http-request set-var(txn.txnpath) path http-request set-var(txn.txnhost) hdr(host) use_backend ACME-JV-NET-NZ-PROD_ipvANY if ACME use_backend JVNAS1-LE_ipvANY if JVNAS1 backend ACME-JV-NET-NZ-PROD_ipvANY mode http id 100 log global timeout connect 30000 timeout server 30000 retries 3 server ACME-BACKEND 127.0.0.1:4002 id 101 backend JVNAS1-LE_ipvANY mode http id 102 log global timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / server JVNAS1 192.168.0.30:80 id 103 check inter 1000
-
This post is deleted! -
@veldthui
So when a request for '/.well-known/acme-challenge/' comes in you send it to the server "ACME-BACKEND 127.0.0.1:4002" .? Seems maybe the order of the 'use_backend' actions should change..Also i wonder, the health-checks for server "JVNAS1 192.168.0.30:80" do they succeed?
-
This post is deleted! -
@PiBa said in Let Letsencrypt through HAProxy to Synology:
@veldthui
So when a request for '/.well-known/acme-challenge/' comes in you send it to the server "ACME-BACKEND 127.0.0.1:4002" .? Seems maybe the order of the 'use_backend' actions should change..Also i wonder, the health-checks for server "JVNAS1 192.168.0.30:80" do they succeed?
Okay I now get what you at meaning. It matches the directory first rather than the host name and forwards to the wrong backend. I will swap things around and see how they go.
Yes the health checks for JVNAS1 succeed fine.
-
Okay, After changing the order of the matches in the frontend the Synology is now getting its certificates. I knew I must have been doing something wrong.
Thanks PiBa
-
This post is deleted! -
@veldthui hello. I am trying to do the same thing - setup my synology nas to get /renew its certificates from pfsense and haproxy. Not sure how to set everything up. How did you get it to work? will appreciate some guidance how to setup the backend/frontend and anything else on the synology box itself. Cant find any guide. thxx
-
@vacquah While it works, the Synology does not seem to automatically update the certs even though it is supposed to. I do get a reminder so can manually get it to update.
On the synology side you need to set it up with the certificates part on the control panel. There are plenty of web hits on how to do this part.
The HAProxy part is basically how I have it in a few posting before this. You need to be careful of the order of things as I had my pfSense path first and it was matching that and going there and never got to the synology match. After a reordering it worked as it should.