HA proxy pass though /.well-known/acme-challenge


  • Hi
    Currently trying to renew lets encrypt for a server though HAproxy, i ran a dry run when i disable HA proxy and it works, so i know the issue is with HA proxy.
    What it seems is that Letsencrypt needs to access

     "GET /.well-known/acme-challenge/rv-0FeHbr4dX9EoBPfhxqTvdIYR0wkyi2oDte7URGh4 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
    
    

    i tried adding on the shared fronted
    bca2a758-33f3-46a6-8bcd-d5eb5d421c9f-image.png

    this is my config

    not sure what im missing

    # Automaticaly generated, dont edit manually.
    # Generated on: 2021-01-09 16:49
    global
    	maxconn			500
    	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
    	gid			80
    	nbproc			1
    	nbthread			1
    	hard-stop-after		15m
    	chroot				/tmp/haproxy_chroot
    	daemon
    	tune.ssl.default-dh-param	2048
    	server-state-file /tmp/haproxy_server_state
    
    listen HAProxyLocalStats
    	bind 127.0.0.1:2200 name localstats
    	mode http
    	stats enable
    	stats admin if TRUE
    	stats show-legends
    	stats uri /haproxy/haproxy_stats.php?haproxystats=1
    	timeout client 5000
    	timeout connect 5000
    	timeout server 5000
    
    frontend SharedFrontend-merged
    	bind			200.116.xx.xx:443 name 200.116.xx.xx:443   
    	mode			tcp
    	log			global
    	timeout client		30000
    	tcp-request connection set-src str(192.168.3.254) if { src 192.168.3.0/24 }
    	tcp-request inspect-delay	5s
    	acl			cloud	req.ssl_sni -i cloud.domain.com
    	acl			web	req.ssl_sni -i domain.com
    	acl			inventory	req.ssl_sni -i inventory.domain.com
    	acl			ng	req.ssl_sni -i ng.domain.com
    	acl			gitlab	req.ssl_sni -i gitlab.domain.com
    	acl			remote	req.ssl_sni -i remote.domain.com
    	acl			monitor	req.ssl_sni -i monitor.domain.com
    	acl			mail	req.ssl_sni -i mail.domain.com.co
    	acl			crm	req.ssl_sni -i crm.domain.com
    	acl			chat	req.ssl_sni -i chat.domain.com
    	acl			office	req.ssl_sni -i onlyoffice.domain.com
    	acl			task	req.ssl_sni -i task.domain.com
    	tcp-request content accept if { req.ssl_hello_type 1 }
    	use_backend Backend2_ipv4  if  cloud 
    	use_backend Backend1_ipv4  if  web 
    	use_backend Backend9_ipv4  if  inventory 
    	use_backend Backend10_ipv4  if  ng 
    	use_backend Backend13_ipvANY  if  gitlab 
    	use_backend Backend14_ipv4  if  remote 
    	use_backend Backend17_ipvANY  if  monitor 
    	use_backend Backend18_ipv4  if  mail 
    	use_backend Backend7_ipvANY  if  crm 
    	use_backend Backend19_ipv4  if  chat 
    	use_backend Backend20_ipv4  if  office 
    	use_backend Backend21_ipv4  if  task 
    
    frontend HTTPTOHTTPS
    	bind			200.116.xx.xx:80 name 200.116.xx.xx:80   
    	mode			http
    	log			global
    	option			http-keep-alive
    	timeout client		30000
    	tcp-request connection set-src str(192.168.3.254) if { src 192.168.3.0/24 }
    	acl			cloud	var(txn.txnhost) -m str -i cloud.domain.com
    	acl			web	var(txn.txnhost) -m str -i domain.com
    	acl			web2	var(txn.txnhost) -m beg -i www
    	acl			inventory	var(txn.txnhost) -m str -i inventory.domain.com
    	acl			ng	var(txn.txnhost) -m str -i ng.domain.com
    	acl			gitlab	var(txn.txnhost) -m str -i gitlab.domain.com
    	acl			remote	var(txn.txnhost) -m str -i remote.domain.com
    	acl			contable	var(txn.txnhost) -m str -i contable.domain.com
    	acl			home	var(txn.txnhost) -m str -i home.domain.com
    	acl			monitor	var(txn.txnhost) -m str -i monitor.domain.com
    	acl			mail	var(txn.txnhost) -m str -i mail.domain.com.co
    	acl			crm	var(txn.txnhost) -m str -i crm.domain.com
    	acl			chat	var(txn.txnhost) -m str -i chat.domain.com
    	acl			office	var(txn.txnhost) -m str -i onlyoffice.domain.com
    	acl			task	var(txn.txnhost) -m str -i task.domain.com
    	acl			acme	var(txn.txnpath) -m beg -i /.well-known/acme-challenge
    	http-request set-var(txn.txnhost) hdr(host)
    	http-request set-var(txn.txnpath) path
    	http-request redirect scheme https  if  cloud 
    	http-request redirect scheme https  if  web 
    	http-request redirect prefix https://domain.com  if  web2 
    	http-request redirect scheme https  if  mail 
    	http-request redirect scheme https  if  inventory 
    	http-request redirect scheme https  if  ng 
    	http-request redirect scheme https  if  gitlab 
    	http-request redirect scheme https  if  remote 
    	http-request redirect scheme https  if  contable 
    	http-request redirect scheme https  if  home 
    	http-request redirect scheme https  if  monitor 
    	http-request redirect scheme https  if  crm 
    	http-request redirect scheme https  if  chat 
    	http-request redirect scheme https  if  office 
    	http-request redirect scheme https  if  task 
    	http-request redirect scheme https  if  !acme 
    
    
    backend Backend2_ipv4
    	mode			tcp
    	id			10103
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	server			cloud 192.168.3.244:443 id 10104 check inter 1000  
    
    backend Backend1_ipv4
    	mode			tcp
    	id			10101
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	server			website 192.168.3.201:443 id 10102 check inter 1000  
    
    backend Backend9_ipv4
    	mode			tcp
    	id			10100
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	server			inventory 192.168.3.223:443 id 10104 check inter 1000  
    
    backend Backend10_ipv4
    	mode			tcp
    	id			10117
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	server			ng 192.168.3.222:443 id 10104 check inter 1000  
    
    backend Backend13_ipvANY
    	mode			tcp
    	id			120
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			gitlab 192.168.3.121:443 id 104 check inter 1000  
    
    backend Backend14_ipv4
    	mode			tcp
    	id			10121
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	server			remote 192.168.3.245:443 id 10104 check inter 1000  
    
    backend Backend17_ipvANY
    	mode			tcp
    	id			124
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			monitor 192.168.3.132:443 id 104 check inter 1000  
    
    backend Backend18_ipv4
    	mode			tcp
    	id			10105
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	server			mail 192.168.3.140:443 id 10104 check inter 1000  
    
    backend Backend7_ipvANY
    	mode			tcp
    	id			113
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			crm 192.168.3.155:443 id 114 check inter 1000  
    
    backend Backend19_ipv4
    	mode			tcp
    	id			10106
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	server			chat 192.168.3.201:443 id 10104 check inter 1000  
    
    backend Backend20_ipv4
    	mode			tcp
    	id			10107
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	server			office 192.168.3.253:443 id 10104 check inter 1000  
    
    backend Backend21_ipv4
    	mode			tcp
    	id			10108
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	server			task 192.168.3.248:443 id 10104 check inter 1000  
    
    

    Thank you

  • LAYER 8

    @killmasta93
    are you using the acme package for pfsense or certbot on your server?
    I can be wrong but /.well-known/acme-challenge should be waiting on port 80 not 443


  • @kiokoman thanks for the reply certbot on the server ubuntu 18.04 i prefer not use the firewall to hold my SSL as i tried before and had a few issue on some platforms
    so my question how i can pass the HTTP request for /.well-known/acme-challenge though HA proxy so it can go to the server?