Let Letsencrypt through HAProxy to Synology

veldthui · Apr 12, 2019, 8:51 PM

I am using HAProxy and ACME to install a Letsencrypt cert on my pfSense. It is working well using the front/backend.

I am now trying allow my Synology NAS through on port 80 as well so it can get and update its Letsencrypt cert.
I changed the frontend to allow a hostname starts with mynasname and for the backend I had it forward to port 80 on the IP my nas sits on. To test this I put the forward port to 5000 and was greeted by the Synology interface so would assume that HAProxy is working. setting it back to port 80 and trying to get a certificate fails 100% of the time.

If I just port forward port 80 using a NAT port forward it works okay so there must be something I am doing wrong in HAProxy.

Snip of the start of the backend. Rest of the options are default.

Any help appreciated.

PiBa · Apr 12, 2019, 9:44 PM

@veldthui
disable the health check? (set to none)

as the acme webserver is probably not running all the time ? haproxy would mark it down.. and might not come up fast enough for the actual acme validation request..

veldthui · Apr 12, 2019, 11:57 PM

The ACME one is disabled and as I said is working 100%. What I can't get to work is my Synology NAS. The webserver on the Synology is running all the time and the check marks it as okay. It just is doing something that causes Letsencrypt on the Synology to fail getting a certificate.

PiBa · Apr 13, 2019, 8:25 PM

@veldthui
What i understood from your question is that the Synology webserver listens on 5000 ? And that acme will listen on 80 while handling the validation request.? So when acme is not running the healthchecks for 80 would fail? Or did i misunderstand the situation? (ive never used a Synology-nas..)

Can you perhaps share the haproxy.conf (from bottom of settings tab).?

veldthui · Apr 13, 2019, 8:25 PM

Take ACME out of this all together. I mentioned it just to say it was working fine through HAProxy.

Synology uses port 5000 for http and 5001 for https for its web gui only. It still listens to port 80 for letsencrypt. And this is proven by port forwarding port 80 to the synology box. Port forward 80 and letsencrypt works on the synology. Use HAProxy and it doesn't.

Here is my config. I have removed my external IP and replaced with Ext IP

# Automaticaly generated, dont edit manually.
# Generated on: 2019-04-13 14:43
global
	maxconn			1000
	stats socket /tmp/haproxy.socket level admin 
	uid			80
	gid			80
	nbproc			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	server-state-file /tmp/haproxy_server_state

frontend ACME-JV-NET-NZ-PROD
	bind			Ext IP:80 name Ex IP:80   
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	errorfile			503 /var/etc/haproxy/errorfile_ACME-JV-NET-NZ-PROD_503_MAINTENANCE
	acl			ACME	var(txn.txnpath) -m beg -i /.well-known/acme-challenge/
	acl			JVNAS1	var(txn.txnhost) -m beg -i jvnas1
	http-request set-var(txn.txnpath) path
	http-request set-var(txn.txnhost) hdr(host)
	use_backend ACME-JV-NET-NZ-PROD_ipvANY  if  ACME 
	use_backend JVNAS1-LE_ipvANY  if  JVNAS1 

backend ACME-JV-NET-NZ-PROD_ipvANY
	mode			http
	id			100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			ACME-BACKEND 127.0.0.1:4002 id 101  

backend JVNAS1-LE_ipvANY
	mode			http
	id			102
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			JVNAS1 192.168.0.30:80 id 103 check inter 1000

PiBa · Apr 13, 2019, 8:50 PM

This post is deleted!

PiBa · Apr 13, 2019, 8:52 PM

@veldthui
So when a request for '/.well-known/acme-challenge/' comes in you send it to the server "ACME-BACKEND 127.0.0.1:4002" .? Seems maybe the order of the 'use_backend' actions should change..

Also i wonder, the health-checks for server "JVNAS1 192.168.0.30:80" do they succeed?

veldthui · Apr 13, 2019, 10:55 PM

This post is deleted!

veldthui · Apr 13, 2019, 11:57 PM

@PiBa said in Let Letsencrypt through HAProxy to Synology:

@veldthui
So when a request for '/.well-known/acme-challenge/' comes in you send it to the server "ACME-BACKEND 127.0.0.1:4002" .? Seems maybe the order of the 'use_backend' actions should change..

Also i wonder, the health-checks for server "JVNAS1 192.168.0.30:80" do they succeed?

Okay I now get what you at meaning. It matches the directory first rather than the host name and forwards to the wrong backend. I will swap things around and see how they go.

Yes the health checks for JVNAS1 succeed fine.

veldthui · Jul 19, 2019, 2:57 AM

Okay, After changing the order of the matches in the frontend the Synology is now getting its certificates. I knew I must have been doing something wrong.

Thanks PiBa

snitem · Apr 14, 2019, 12:18 AM

This post is deleted!

vacquah · Jul 19, 2019, 2:57 AM

@veldthui hello. I am trying to do the same thing - setup my synology nas to get /renew its certificates from pfsense and haproxy. Not sure how to set everything up. How did you get it to work? will appreciate some guidance how to setup the backend/frontend and anything else on the synology box itself. Cant find any guide. thxx

veldthui · Jul 20, 2019, 5:57 AM

@vacquah While it works, the Synology does not seem to automatically update the certs even though it is supposed to. I do get a reminder so can manually get it to update.

On the synology side you need to set it up with the certificates part on the control panel. There are plenty of web hits on how to do this part.
The HAProxy part is basically how I have it in a few posting before this. You need to be careful of the order of things as I had my pfSense path first and it was matching that and going there and never got to the synology match. After a reordering it worked as it should.