HAProxy with ACME wildcard inconsistencies


  • I'm using haproxy-devel (2.0.14) with acme (0.6.6) and a wildcard certificate on pfsense (2.4.5). This is setup to provide internal (only) reverse proxy to a bunch of services running on VMs/docker.

    Everything is working great with the exception of two of the docker services (tautulli & lazylibrarian) which return an NET::ERR_CERT_COMMON_NAME_INVALID error and point back to the pfsense mgmt port (8888) and pfsense SSL cert rather than the ACME one. All addresses point to a single virtual IP (10.0.60.20)

    # Automaticaly generated, dont edit manually.
    # Generated on: 2020-04-05 07:03
    global
    	maxconn			1000
    	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
    	uid			80
    	gid			80
    	nbproc			1
    	nbthread			1
    	hard-stop-after		15m
    	chroot				/tmp/haproxy_chroot
    	daemon
    	tune.ssl.default-dh-param	2048
    	server-state-file /tmp/haproxy_server_state
    
    listen HAProxyLocalStats
    	bind 127.0.0.1:2200 name localstats
    	mode http
    	stats enable
    	stats admin if TRUE
    	stats show-legends
    	stats uri /haproxy/haproxy_stats.php?haproxystats=1
    	timeout client 5000
    	timeout connect 5000
    	timeout server 5000
    
    frontend shared_frontend-merged
    	bind			10.0.60.20:443 name 10.0.60.20:443   ssl crt-list /var/etc/haproxy/shared_frontend.crt_list  
    	mode			http
    	log			global
    	option			http-keep-alive
    	option			forwardfor
    	acl https ssl_fc
    	http-request set-header		X-Forwarded-Proto http if !https
    	http-request set-header		X-Forwarded-Proto https if https
    	timeout client		30000
    	acl			aclcrt_shared_frontend	var(txn.txnhost) -m reg -i ^([^\.]*)\.mydomainname\.com(:([0-9]){1,5})?$
    	acl			teedy_acl	var(txn.txnhost) -m beg -i teedy
    	acl			heimdall_acl	var(txn.txnhost) -m beg -i heimdall
    	acl			sonarr_acl	var(txn.txnhost) -m beg -i sonarr
    	acl			radarr_acl	var(txn.txnhost) -m beg -i radarr
    	acl			ombi_acl	var(txn.txnhost) -m beg -i ombi
    	acl			grocy_acl	var(txn.txnhost) -m beg -i grocy
    	acl			sabnzbd_acl	var(txn.txnhost) -m beg -i sabnzbd
    	acl			portainer_acl	var(txn.txnhost) -m beg -i portainer
    	acl			unifi_acl	var(txn.txnhost) -m beg -i unifi
    	acl			plex_acl	var(txn.txnhost) -m beg -i pms
    	acl			tautulli_acl	var(txn.txnhost) -m beg -i tautulli
    	acl			lazylibrarian_acl	var(txn.txnhost) -m beg -i lazylibrarian
    	http-request set-var(txn.txnhost) hdr(host)
    	use_backend teedy_ipvANY  if  teedy_acl 
    	use_backend heimdall_ipvANY  if  heimdall_acl 
    	use_backend sonarr_ipvANY  if  sonarr_acl 
    	use_backend radarr_ipvANY  if  radarr_acl 
    	use_backend ombi_ipvANY  if  ombi_acl 
    	use_backend grocy_ipvANY  if  grocy_acl 
    	use_backend sabnzbd_ipvANY  if  sabnzbd_acl 
    	use_backend portainer_ipvANY  if  portainer_acl 
    	use_backend unifi_ipvANY  if  unifi_acl 
    	use_backend plex_ipvANY  if  plex_acl 
    	use_backend tautulli_ipvANY  if  tautulli_acl 
    	use_backend lazylibrarian_ipvANY  if  lazylibrarian_acl 
    
    backend teedy_ipvANY
    	mode			http
    	id			100
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			teedy 10.0.20.60:8280 id 101 check inter 1000  
    
    backend heimdall_ipvANY
    	mode			http
    	id			103
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			heimdall 10.0.20.60:80 id 101 check inter 1000  
    
    backend sonarr_ipvANY
    	mode			http
    	id			105
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			sonarr 10.0.20.60:8989 id 101 check inter 1000  
    
    backend radarr_ipvANY
    	mode			http
    	id			106
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			radarr 10.0.20.60:7878 id 101 check inter 1000  
    
    backend ombi_ipvANY
    	mode			http
    	id			107
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			ombi 10.0.20.60:3579 id 101 check inter 1000  
    
    backend grocy_ipvANY
    	mode			http
    	id			108
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			grocy 10.0.20.60:9283 id 101 check inter 1000  
    
    backend sabnzbd_ipvANY
    	mode			http
    	id			110
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			sabnzbd 10.0.20.60:8080 id 101 check inter 1000  
    
    backend portainer_ipvANY
    	mode			http
    	id			111
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			portainer 10.0.20.60:9000 id 101 check inter 1000  
    
    backend unifi_ipvANY
    	mode			http
    	id			112
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			unifi 10.0.20.20:8443 id 101 ssl check inter 1000  verify none 
    
    backend plex_ipvANY
    	mode			http
    	id			104
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			plex 10.0.20.60:32400 id 109 check inter 1000  
    
    backend tautulli_ipvANY
    	mode			http
    	id			102
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			tautulli 10.0.20.60:8181 id 113 check inter 1000  
    
    backend lazylibrarian_ipvANY
    	mode			http
    	id			114
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			lazylibrarian 10.0.20.60:5299 id 115 check inter 1000  
    

    Any idea why these two are causing me a problem?

    Thanks


  • I've managed to fix this now - it was either an issue with the DNS cache or expanding the URL beyond the root directory, e.g. https://lazylibrarian.mydomain.com/books and https://tautulli.mydomain.com/home


  • @custardduck22
    Common 'issue' like this is also the port :80 redirect that pfSense has, if for some reason a 'http' request is done instead of 'https' the pfSense webgui-redirect could get cached by a browser.. (that redirect it can be disabled in 'system/advanced settings') Anyhow good you've already got it fixed.