• Hi Forum
    I'm struggling a bit with HAProxy - and are in need of some advices.

    For my testing setup I have a domain insa.dk
    For making the test - I have several subdomains
    fubar.insa.dk
    qlik.insa.dk
    www.insa.dk

    Altually those works pretty well - BUT when only typing the name insa.dk - it goes in failure - but I though It should default back.
    So how can I make insa.dk work through the HAproxy also - so it'll show the same webpage without certificate error

    Is this when I creating the Certificate - that I need it to answer for both www.insa.dk and insa.dk - or is it through regex statements and then my question would be how to create these.
    I've now been struggling with this little issue for some days now

    But all subdomains to the domain insa.dk are working fine - just missing the last part of the puzzle
    THansk in advance


  • @Peque said in HAproxy - the right way:

    So how can I make insa.dk work through the HAproxy also - so it'll show the same webpage without certificate error

    The certificate must be 'valid' for the hostname the browser is visiting. So you need a certificate that is (also) valid for 'insa.dk'. Any redirect or other http layer tricks you might want to try will only happen after the SSL connection has successfully been made&verified. So to avoid a certificate error there is usually only 1 solution.. use a valid cert.. (or create one and add your own CA to every client that needs to use the site.. which makes the cert valid again for those clients..)


  • ===group

    ===first of all thanks for the repy
    That was allso my klnowledge regarding these certificates
    But what I do not get, is why I can create certificates for XXX.insa.dk but each time I'm trying to issue a cert to insa.dk it'll fail the issuing of the certificate.

    insa.dk is also a A record - like the other valid domain name - So I Guess the problem is more than recreating a valid certificate
    WHen trying to issue certificate for insa.dk - I'm getting this error :

    challenge_response_put insa, insa.dk
    FOUND domainitemwebroot
    put token at: /usr/local/www/.well-known/acme-challenge//0MYNq36gVQ7gr2clr5i6dWeZO1LG3r7mgsyM3_KWjrM
    [Wed Dec  2 05:45:36 UTC 2020] Found domain http api file: /tmp/acme/insa//httpapi/pfSenseacme.sh
    [Wed Dec  2 05:45:35 UTC 2020] insa.dk:Verify error:Invalid response from https://insa.dk/.well-known/acme-challenge/0MYNq36gVQ7gr2clr5i6dWeZO1LG3r7mgsyM3_KWjrM [31.3.72.101]: 503
    [Wed Dec  2 05:45:36 UTC 2020] Please check log file for more details: /tmp/acme/insa/acme_issuecert.log
    

    Looking through the logfile on the on the PFsense -I'm getting this logs

    [Wed Dec  2 05:45:37 UTC 2020] _postContentType='application/jose+json'
    [Wed Dec  2 05:45:37 UTC 2020] Http already initialized.
    [Wed Dec  2 05:45:37 UTC 2020] _CURL='curl -L --silent --dump-header /tmp/acme/i                                                                                                                                                             nsa//http.header  -g '
    [Wed Dec  2 05:45:38 UTC 2020] _ret='0'
    [Wed Dec  2 05:45:38 UTC 2020] responseHeaders='HTTP/2 400
    server: nginx
    date: Wed, 02 Dec 2020 05:45:38 GMT
    content-type: application/problem+json
    content-length: 144
    boulder-requester: 104570941
    cache-control: public, max-age=0, no-cache
    link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
    replay-nonce: 0004HRtYyc8tihJvXkURMnIPlzXK3onSs4r27mjxBPZQ0Zc
    '
    [Wed Dec  2 05:45:38 UTC 2020] code='400'
    [Wed Dec  2 05:45:38 UTC 2020] original='{
      "type": "urn:ietf:params:acme:error:malformed",
      "detail": "Unable to update challenge :: authorization must be pending",
      "status": 400
    }'
    [Wed Dec  2 05:45:38 UTC 2020] response='{
      "type": "urn:ietf:params:acme:error:malformed",
      "detail": "Unable to update challenge :: authorization must be pending",
      "status": 400
    }'
    

    And that is the only error - But do not get it while other domains are smmoth issuing the certificate .- at the provider they are shown as
    fubar.insa.dk 31.3.72.101 600
    insa.dk 31.3.72.101 600
    localhost.insa.dk 127.0.0.1 43200
    pfsense.insa.dk 31.3.72.101 600
    qlik.insa.dk 31.3.72.101 600
    www.insa.dk 31.3.72.101 600

    only 2 of those names will not issuing the certificate - thats www.insa.dk and insa.dk and cannot get why they wont issue certificate


  • @Peque said in HAproxy - the right way:

    [Wed Dec 2 05:45:35 UTC 2020] insa.dk:Verify error:Invalid response from https://insa.dk/.well-known/acme-challenge/0MYNq36gVQ7gr2clr5i6dWeZO1LG3r7mgsyM3_KWjrM [31.3.72.101]: 503

    When i try to visit your website: 'https://insa.dk/' i to get a 503 error shown in my browser. Same as the error above.. Despite the 'wrong' certificate and clicking through the warnings that should not happen imho.. How is haproxy.cfg configured? Perhaps youve enabled the automated SNI acl's for the frontend/certificate, which might interfere (disable those checkboxes?)?


  • @PiBa - the problem is that I cannot get the vertification for this domain insa.dk
    No issues with fubar.insa.dk or qlik.insa.dk - but cannot issue the certificate for insa.dk/www.insa.dk so I cannot make a backend or any rules without that certificate for the domains.

    At this moment there's no configuration for insa.dk since I need the certificate for creating this Backend - that will answer for this.
    If you tjek fubar.insa.dk - no issue with that site ( THis is a little testsetup for making the HAProxy testet)
    But in our Live enviorment ( HAproixy is not implemented there) I have 3 domains - that should answer with and without the www. in front.

    If I can get a certificate for the insa.dk and the www.insa.dk --> I think I can manage to configure this - biut I cannot figure out WHY I cannot issue those certificates


  • @Peque
    Well when i request http://insa.dk it redirects to https://insa.dk . This also happens for the letsencrypt servers that try to validate the http-01 acme-challenge. So you must make sure that the url that those servers try to visit produces the correct challenge file response. To make that happen you should make it so that the request to "http://insa.dk/.well-known/acme-challenge/0MYNq36gVQ7gr2clr5i6dWeZO1LG3r7mgsyM3_KWjrM" is either NOT redirected to https but served by the acme-client, or that the https one is handled in such a way that even with a wrong certificate it does produce the correct response. That should be possible even while using a 'wrong' temporary certificate.. The 503 i can see is a 'http' response, so why not check the hostname and path requested and forward that to the acme client webserver?


  • @piba
    So basicly - I should delete my Frontend - UNTILL all certificates are issued
    But I do not get that point -. since I have created pfsense.insa.dk ( Whit the backend running - and also created the fubar.insa.dk ) - this certificatge issue does not have a problem
    But when issuing only for insa.dk gives the problem - jut like www.insa.dk does

    Since we like to use PFsense as the Frontend ( Certificate holder etc) is since our normal website is running on RubyonRails in a old version - and cannot be upgraded unless we rewrite the entire website - so for protecting the website the best way for now - is getting the PFsense to act as HAproxy

    But I do not get why insa.dk/www.insa.dk have an error 503 but fubar.insa.dk are issued really smooth and as expected! My Guess is that If I can get the right certificate for www.ins.dk and insa.dk I do not have an issue - but its the getting the certificate that seems to be my mail issue


  • @Piba
    So the actually solution was stopping HAproxy - issuing the missing certificates - and the create the frontends - and start the HAproxy again

    So the prxy answering for both insa.dk and www.insa.dk

    Thanks for the replys and solutions