HAProxy with ACME wildcard inconsistencies

custardduck22

I'm using haproxy-devel (2.0.14) with acme (0.6.6) and a wildcard certificate on pfsense (2.4.5). This is setup to provide internal (only) reverse proxy to a bunch of services running on VMs/docker.

Everything is working great with the exception of two of the docker services (tautulli & lazylibrarian) which return an NET::ERR_CERT_COMMON_NAME_INVALID error and point back to the pfsense mgmt port (8888) and pfsense SSL cert rather than the ACME one. All addresses point to a single virtual IP (10.0.60.20)

# Automaticaly generated, dont edit manually.
# Generated on: 2020-04-05 07:03
global
	maxconn			1000
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	uid			80
	gid			80
	nbproc			1
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend shared_frontend-merged
	bind			10.0.60.20:443 name 10.0.60.20:443   ssl crt-list /var/etc/haproxy/shared_frontend.crt_list  
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	acl			aclcrt_shared_frontend	var(txn.txnhost) -m reg -i ^([^\.]*)\.mydomainname\.com(:([0-9]){1,5})?$
	acl			teedy_acl	var(txn.txnhost) -m beg -i teedy
	acl			heimdall_acl	var(txn.txnhost) -m beg -i heimdall
	acl			sonarr_acl	var(txn.txnhost) -m beg -i sonarr
	acl			radarr_acl	var(txn.txnhost) -m beg -i radarr
	acl			ombi_acl	var(txn.txnhost) -m beg -i ombi
	acl			grocy_acl	var(txn.txnhost) -m beg -i grocy
	acl			sabnzbd_acl	var(txn.txnhost) -m beg -i sabnzbd
	acl			portainer_acl	var(txn.txnhost) -m beg -i portainer
	acl			unifi_acl	var(txn.txnhost) -m beg -i unifi
	acl			plex_acl	var(txn.txnhost) -m beg -i pms
	acl			tautulli_acl	var(txn.txnhost) -m beg -i tautulli
	acl			lazylibrarian_acl	var(txn.txnhost) -m beg -i lazylibrarian
	http-request set-var(txn.txnhost) hdr(host)
	use_backend teedy_ipvANY  if  teedy_acl 
	use_backend heimdall_ipvANY  if  heimdall_acl 
	use_backend sonarr_ipvANY  if  sonarr_acl 
	use_backend radarr_ipvANY  if  radarr_acl 
	use_backend ombi_ipvANY  if  ombi_acl 
	use_backend grocy_ipvANY  if  grocy_acl 
	use_backend sabnzbd_ipvANY  if  sabnzbd_acl 
	use_backend portainer_ipvANY  if  portainer_acl 
	use_backend unifi_ipvANY  if  unifi_acl 
	use_backend plex_ipvANY  if  plex_acl 
	use_backend tautulli_ipvANY  if  tautulli_acl 
	use_backend lazylibrarian_ipvANY  if  lazylibrarian_acl 

backend teedy_ipvANY
	mode			http
	id			100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			teedy 10.0.20.60:8280 id 101 check inter 1000  

backend heimdall_ipvANY
	mode			http
	id			103
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			heimdall 10.0.20.60:80 id 101 check inter 1000  

backend sonarr_ipvANY
	mode			http
	id			105
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			sonarr 10.0.20.60:8989 id 101 check inter 1000  

backend radarr_ipvANY
	mode			http
	id			106
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			radarr 10.0.20.60:7878 id 101 check inter 1000  

backend ombi_ipvANY
	mode			http
	id			107
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			ombi 10.0.20.60:3579 id 101 check inter 1000  

backend grocy_ipvANY
	mode			http
	id			108
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			grocy 10.0.20.60:9283 id 101 check inter 1000  

backend sabnzbd_ipvANY
	mode			http
	id			110
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			sabnzbd 10.0.20.60:8080 id 101 check inter 1000  

backend portainer_ipvANY
	mode			http
	id			111
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			portainer 10.0.20.60:9000 id 101 check inter 1000  

backend unifi_ipvANY
	mode			http
	id			112
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			unifi 10.0.20.20:8443 id 101 ssl check inter 1000  verify none 

backend plex_ipvANY
	mode			http
	id			104
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			plex 10.0.20.60:32400 id 109 check inter 1000  

backend tautulli_ipvANY
	mode			http
	id			102
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			tautulli 10.0.20.60:8181 id 113 check inter 1000  

backend lazylibrarian_ipvANY
	mode			http
	id			114
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			lazylibrarian 10.0.20.60:5299 id 115 check inter 1000  

Any idea why these two are causing me a problem?

Thanks

custardduck22

I've managed to fix this now - it was either an issue with the DNS cache or expanding the URL beyond the root directory, e.g. https://lazylibrarian.mydomain.com/books and https://tautulli.mydomain.com/home

PiBa

@custardduck22
Common 'issue' like this is also the port :80 redirect that pfSense has, if for some reason a 'http' request is done instead of 'https' the pfSense webgui-redirect could get cached by a browser.. (that redirect it can be disabled in 'system/advanced settings') Anyhow good you've already got it fixed.