Let Letsencrypt through HAProxy to Synology

  • I am using HAProxy and ACME to install a Letsencrypt cert on my pfSense. It is working well using the front/backend.

    I am now trying allow my Synology NAS through on port 80 as well so it can get and update its Letsencrypt cert.
    I changed the frontend to allow a hostname starts with mynasname and for the backend I had it forward to port 80 on the IP my nas sits on. To test this I put the forward port to 5000 and was greeted by the Synology interface so would assume that HAProxy is working. setting it back to port 80 and trying to get a certificate fails 100% of the time.

    If I just port forward port 80 using a NAT port forward it works okay so there must be something I am doing wrong in HAProxy.

    Snip of the start of the backend. Rest of the options are default.

    Any help appreciated.

  • @veldthui
    disable the health check? (set to none)

    as the acme webserver is probably not running all the time ? haproxy would mark it down.. and might not come up fast enough for the actual acme validation request..

  • The ACME one is disabled and as I said is working 100%. What I can't get to work is my Synology NAS. The webserver on the Synology is running all the time and the check marks it as okay. It just is doing something that causes Letsencrypt on the Synology to fail getting a certificate.

  • @veldthui
    What i understood from your question is that the Synology webserver listens on 5000 ? And that acme will listen on 80 while handling the validation request.? So when acme is not running the healthchecks for 80 would fail? Or did i misunderstand the situation? (ive never used a Synology-nas..)

    Can you perhaps share the haproxy.conf (from bottom of settings tab).?

  • Take ACME out of this all together. I mentioned it just to say it was working fine through HAProxy.

    Synology uses port 5000 for http and 5001 for https for its web gui only. It still listens to port 80 for letsencrypt. And this is proven by port forwarding port 80 to the synology box. Port forward 80 and letsencrypt works on the synology. Use HAProxy and it doesn't.

    Here is my config. I have removed my external IP and replaced with Ext IP

    # Automaticaly generated, dont edit manually.
    # Generated on: 2019-04-13 14:43
    	maxconn			1000
    	stats socket /tmp/haproxy.socket level admin 
    	uid			80
    	gid			80
    	nbproc			1
    	hard-stop-after		15m
    	chroot				/tmp/haproxy_chroot
    	server-state-file /tmp/haproxy_server_state
    frontend ACME-JV-NET-NZ-PROD
    	bind			Ext IP:80 name Ex IP:80   
    	mode			http
    	log			global
    	option			http-keep-alive
    	option			forwardfor
    	acl https ssl_fc
    	http-request set-header		X-Forwarded-Proto http if !https
    	http-request set-header		X-Forwarded-Proto https if https
    	timeout client		30000
    	errorfile			503 /var/etc/haproxy/errorfile_ACME-JV-NET-NZ-PROD_503_MAINTENANCE
    	acl			ACME	var(txn.txnpath) -m beg -i /.well-known/acme-challenge/
    	acl			JVNAS1	var(txn.txnhost) -m beg -i jvnas1
    	http-request set-var(txn.txnpath) path
    	http-request set-var(txn.txnhost) hdr(host)
    	use_backend ACME-JV-NET-NZ-PROD_ipvANY  if  ACME 
    	use_backend JVNAS1-LE_ipvANY  if  JVNAS1 
    backend ACME-JV-NET-NZ-PROD_ipvANY
    	mode			http
    	id			100
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			ACME-BACKEND id 101  
    backend JVNAS1-LE_ipvANY
    	mode			http
    	id			102
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			JVNAS1 id 103 check inter 1000

  • This post is deleted!

  • @veldthui
    So when a request for '/.well-known/acme-challenge/' comes in you send it to the server "ACME-BACKEND" .? Seems maybe the order of the 'use_backend' actions should change..

    Also i wonder, the health-checks for server "JVNAS1" do they succeed?

  • This post is deleted!

  • @PiBa said in Let Letsencrypt through HAProxy to Synology:

    So when a request for '/.well-known/acme-challenge/' comes in you send it to the server "ACME-BACKEND" .? Seems maybe the order of the 'use_backend' actions should change..

    Also i wonder, the health-checks for server "JVNAS1" do they succeed?

    Okay I now get what you at meaning. It matches the directory first rather than the host name and forwards to the wrong backend. I will swap things around and see how they go.

    Yes the health checks for JVNAS1 succeed fine.

  • Okay, After changing the order of the matches in the frontend the Synology is now getting its certificates. I knew I must have been doing something wrong.

    Thanks PiBa

  • This post is deleted!

  • @veldthui hello. I am trying to do the same thing - setup my synology nas to get /renew its certificates from pfsense and haproxy. Not sure how to set everything up. How did you get it to work? will appreciate some guidance how to setup the backend/frontend and anything else on the synology box itself. Cant find any guide. thxx

  • @vacquah While it works, the Synology does not seem to automatically update the certs even though it is supposed to. I do get a reminder so can manually get it to update.

    On the synology side you need to set it up with the certificates part on the control panel. There are plenty of web hits on how to do this part.
    The HAProxy part is basically how I have it in a few posting before this. You need to be careful of the order of things as I had my pfSense path first and it was matching that and going there and never got to the synology match. After a reordering it worked as it should.

Log in to reply