HA proxy pass though /.well-known/acme-challenge

killmasta93

Hi
Currently trying to renew lets encrypt for a server though HAproxy, i ran a dry run when i disable HA proxy and it works, so i know the issue is with HA proxy.
What it seems is that Letsencrypt needs to access

 "GET /.well-known/acme-challenge/rv-0FeHbr4dX9EoBPfhxqTvdIYR0wkyi2oDte7URGh4 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

i tried adding on the shared fronted

this is my config

not sure what im missing

# Automaticaly generated, dont edit manually.
# Generated on: 2021-01-09 16:49
global
	maxconn			500
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	gid			80
	nbproc			1
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend SharedFrontend-merged
	bind			200.116.xx.xx:443 name 200.116.xx.xx:443   
	mode			tcp
	log			global
	timeout client		30000
	tcp-request connection set-src str(192.168.3.254) if { src 192.168.3.0/24 }
	tcp-request inspect-delay	5s
	acl			cloud	req.ssl_sni -i cloud.domain.com
	acl			web	req.ssl_sni -i domain.com
	acl			inventory	req.ssl_sni -i inventory.domain.com
	acl			ng	req.ssl_sni -i ng.domain.com
	acl			gitlab	req.ssl_sni -i gitlab.domain.com
	acl			remote	req.ssl_sni -i remote.domain.com
	acl			monitor	req.ssl_sni -i monitor.domain.com
	acl			mail	req.ssl_sni -i mail.domain.com.co
	acl			crm	req.ssl_sni -i crm.domain.com
	acl			chat	req.ssl_sni -i chat.domain.com
	acl			office	req.ssl_sni -i onlyoffice.domain.com
	acl			task	req.ssl_sni -i task.domain.com
	tcp-request content accept if { req.ssl_hello_type 1 }
	use_backend Backend2_ipv4  if  cloud 
	use_backend Backend1_ipv4  if  web 
	use_backend Backend9_ipv4  if  inventory 
	use_backend Backend10_ipv4  if  ng 
	use_backend Backend13_ipvANY  if  gitlab 
	use_backend Backend14_ipv4  if  remote 
	use_backend Backend17_ipvANY  if  monitor 
	use_backend Backend18_ipv4  if  mail 
	use_backend Backend7_ipvANY  if  crm 
	use_backend Backend19_ipv4  if  chat 
	use_backend Backend20_ipv4  if  office 
	use_backend Backend21_ipv4  if  task 

frontend HTTPTOHTTPS
	bind			200.116.xx.xx:80 name 200.116.xx.xx:80   
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	tcp-request connection set-src str(192.168.3.254) if { src 192.168.3.0/24 }
	acl			cloud	var(txn.txnhost) -m str -i cloud.domain.com
	acl			web	var(txn.txnhost) -m str -i domain.com
	acl			web2	var(txn.txnhost) -m beg -i www
	acl			inventory	var(txn.txnhost) -m str -i inventory.domain.com
	acl			ng	var(txn.txnhost) -m str -i ng.domain.com
	acl			gitlab	var(txn.txnhost) -m str -i gitlab.domain.com
	acl			remote	var(txn.txnhost) -m str -i remote.domain.com
	acl			contable	var(txn.txnhost) -m str -i contable.domain.com
	acl			home	var(txn.txnhost) -m str -i home.domain.com
	acl			monitor	var(txn.txnhost) -m str -i monitor.domain.com
	acl			mail	var(txn.txnhost) -m str -i mail.domain.com.co
	acl			crm	var(txn.txnhost) -m str -i crm.domain.com
	acl			chat	var(txn.txnhost) -m str -i chat.domain.com
	acl			office	var(txn.txnhost) -m str -i onlyoffice.domain.com
	acl			task	var(txn.txnhost) -m str -i task.domain.com
	acl			acme	var(txn.txnpath) -m beg -i /.well-known/acme-challenge
	http-request set-var(txn.txnhost) hdr(host)
	http-request set-var(txn.txnpath) path
	http-request redirect scheme https  if  cloud 
	http-request redirect scheme https  if  web 
	http-request redirect prefix https://domain.com  if  web2 
	http-request redirect scheme https  if  mail 
	http-request redirect scheme https  if  inventory 
	http-request redirect scheme https  if  ng 
	http-request redirect scheme https  if  gitlab 
	http-request redirect scheme https  if  remote 
	http-request redirect scheme https  if  contable 
	http-request redirect scheme https  if  home 
	http-request redirect scheme https  if  monitor 
	http-request redirect scheme https  if  crm 
	http-request redirect scheme https  if  chat 
	http-request redirect scheme https  if  office 
	http-request redirect scheme https  if  task 
	http-request redirect scheme https  if  !acme 


backend Backend2_ipv4
	mode			tcp
	id			10103
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			cloud 192.168.3.244:443 id 10104 check inter 1000  

backend Backend1_ipv4
	mode			tcp
	id			10101
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			website 192.168.3.201:443 id 10102 check inter 1000  

backend Backend9_ipv4
	mode			tcp
	id			10100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			inventory 192.168.3.223:443 id 10104 check inter 1000  

backend Backend10_ipv4
	mode			tcp
	id			10117
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			ng 192.168.3.222:443 id 10104 check inter 1000  

backend Backend13_ipvANY
	mode			tcp
	id			120
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			gitlab 192.168.3.121:443 id 104 check inter 1000  

backend Backend14_ipv4
	mode			tcp
	id			10121
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			remote 192.168.3.245:443 id 10104 check inter 1000  

backend Backend17_ipvANY
	mode			tcp
	id			124
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			monitor 192.168.3.132:443 id 104 check inter 1000  

backend Backend18_ipv4
	mode			tcp
	id			10105
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			mail 192.168.3.140:443 id 10104 check inter 1000  

backend Backend7_ipvANY
	mode			tcp
	id			113
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			crm 192.168.3.155:443 id 114 check inter 1000  

backend Backend19_ipv4
	mode			tcp
	id			10106
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			chat 192.168.3.201:443 id 10104 check inter 1000  

backend Backend20_ipv4
	mode			tcp
	id			10107
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			office 192.168.3.253:443 id 10104 check inter 1000  

backend Backend21_ipv4
	mode			tcp
	id			10108
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			task 192.168.3.248:443 id 10104 check inter 1000  

Thank you

kiokoman

@killmasta93
are you using the acme package for pfsense or certbot on your server?
I can be wrong but /.well-known/acme-challenge should be waiting on port 80 not 443

killmasta93

@kiokoman thanks for the reply certbot on the server ubuntu 18.04 i prefer not use the firewall to hold my SSL as i tried before and had a few issue on some platforms
so my question how i can pass the HTTP request for /.well-known/acme-challenge though HA proxy so it can go to the server?