HAProxy with ACME wildcard inconsistencies
-
I'm using haproxy-devel (2.0.14) with acme (0.6.6) and a wildcard certificate on pfsense (2.4.5). This is setup to provide internal (only) reverse proxy to a bunch of services running on VMs/docker.
Everything is working great with the exception of two of the docker services (tautulli & lazylibrarian) which return an NET::ERR_CERT_COMMON_NAME_INVALID error and point back to the pfsense mgmt port (8888) and pfsense SSL cert rather than the ACME one. All addresses point to a single virtual IP (10.0.60.20)
# Automaticaly generated, dont edit manually. # Generated on: 2020-04-05 07:03 global maxconn 1000 stats socket /tmp/haproxy.socket level admin expose-fd listeners uid 80 gid 80 nbproc 1 nbthread 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 server-state-file /tmp/haproxy_server_state listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats admin if TRUE stats show-legends stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend shared_frontend-merged bind 10.0.60.20:443 name 10.0.60.20:443 ssl crt-list /var/etc/haproxy/shared_frontend.crt_list mode http log global option http-keep-alive option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https timeout client 30000 acl aclcrt_shared_frontend var(txn.txnhost) -m reg -i ^([^\.]*)\.mydomainname\.com(:([0-9]){1,5})?$ acl teedy_acl var(txn.txnhost) -m beg -i teedy acl heimdall_acl var(txn.txnhost) -m beg -i heimdall acl sonarr_acl var(txn.txnhost) -m beg -i sonarr acl radarr_acl var(txn.txnhost) -m beg -i radarr acl ombi_acl var(txn.txnhost) -m beg -i ombi acl grocy_acl var(txn.txnhost) -m beg -i grocy acl sabnzbd_acl var(txn.txnhost) -m beg -i sabnzbd acl portainer_acl var(txn.txnhost) -m beg -i portainer acl unifi_acl var(txn.txnhost) -m beg -i unifi acl plex_acl var(txn.txnhost) -m beg -i pms acl tautulli_acl var(txn.txnhost) -m beg -i tautulli acl lazylibrarian_acl var(txn.txnhost) -m beg -i lazylibrarian http-request set-var(txn.txnhost) hdr(host) use_backend teedy_ipvANY if teedy_acl use_backend heimdall_ipvANY if heimdall_acl use_backend sonarr_ipvANY if sonarr_acl use_backend radarr_ipvANY if radarr_acl use_backend ombi_ipvANY if ombi_acl use_backend grocy_ipvANY if grocy_acl use_backend sabnzbd_ipvANY if sabnzbd_acl use_backend portainer_ipvANY if portainer_acl use_backend unifi_ipvANY if unifi_acl use_backend plex_ipvANY if plex_acl use_backend tautulli_ipvANY if tautulli_acl use_backend lazylibrarian_ipvANY if lazylibrarian_acl backend teedy_ipvANY mode http id 100 log global timeout connect 30000 timeout server 30000 retries 3 server teedy 10.0.20.60:8280 id 101 check inter 1000 backend heimdall_ipvANY mode http id 103 log global timeout connect 30000 timeout server 30000 retries 3 server heimdall 10.0.20.60:80 id 101 check inter 1000 backend sonarr_ipvANY mode http id 105 log global timeout connect 30000 timeout server 30000 retries 3 server sonarr 10.0.20.60:8989 id 101 check inter 1000 backend radarr_ipvANY mode http id 106 log global timeout connect 30000 timeout server 30000 retries 3 server radarr 10.0.20.60:7878 id 101 check inter 1000 backend ombi_ipvANY mode http id 107 log global timeout connect 30000 timeout server 30000 retries 3 server ombi 10.0.20.60:3579 id 101 check inter 1000 backend grocy_ipvANY mode http id 108 log global timeout connect 30000 timeout server 30000 retries 3 server grocy 10.0.20.60:9283 id 101 check inter 1000 backend sabnzbd_ipvANY mode http id 110 log global timeout connect 30000 timeout server 30000 retries 3 server sabnzbd 10.0.20.60:8080 id 101 check inter 1000 backend portainer_ipvANY mode http id 111 log global timeout connect 30000 timeout server 30000 retries 3 server portainer 10.0.20.60:9000 id 101 check inter 1000 backend unifi_ipvANY mode http id 112 log global timeout connect 30000 timeout server 30000 retries 3 server unifi 10.0.20.20:8443 id 101 ssl check inter 1000 verify none backend plex_ipvANY mode http id 104 log global timeout connect 30000 timeout server 30000 retries 3 server plex 10.0.20.60:32400 id 109 check inter 1000 backend tautulli_ipvANY mode http id 102 log global timeout connect 30000 timeout server 30000 retries 3 server tautulli 10.0.20.60:8181 id 113 check inter 1000 backend lazylibrarian_ipvANY mode http id 114 log global timeout connect 30000 timeout server 30000 retries 3 server lazylibrarian 10.0.20.60:5299 id 115 check inter 1000
Any idea why these two are causing me a problem?
Thanks
-
I've managed to fix this now - it was either an issue with the DNS cache or expanding the URL beyond the root directory, e.g. https://lazylibrarian.mydomain.com/books and https://tautulli.mydomain.com/home
-
@custardduck22
Common 'issue' like this is also the port :80 redirect that pfSense has, if for some reason a 'http' request is done instead of 'https' the pfSense webgui-redirect could get cached by a browser.. (that redirect it can be disabled in 'system/advanced settings') Anyhow good you've already got it fixed.