problem configuring HAproxy with subdomains

PiBa · Jan 14, 2021, 10:02 PM

@bensz
have you made a firewall rule on the wan to allow tcp access from any to wanip:80 ?

bensz · Jan 14, 2021, 10:18 PM

Is that correct as I've done

PiBa · Jan 14, 2021, 10:26 PM

Dolizelec Default Page
It works!

bensz · Jan 14, 2021, 10:50 PM

Thank you,
I'll continue to search with certbot why it doesn't want to work.
Thanks again
Benoit

PiBa · Jan 14, 2021, 10:50 PM

@bensz
So now you should be able to use acme to get a certificate, after that the https site should be configured with it..

PiBa · Jan 14, 2021, 10:52 PM

@bensz said in problem configuring HAproxy with subdomains:

search with certbot why it doesn't want to work.

Previously you got the message "Timeout during connect (likely firewall problem)" .. I think that should be solved now.. So what is Certbot / LEservers saying now for error.?

bensz · Jan 14, 2021, 10:57 PM

certbot reply

The following errors were reported by the server:

Domain: dolizelec.zelec.homelinux.net
Type: unauthorized
Detail: Invalid response from
http://dolizelec.zelec.homelinux.net/.well-known/acme-challenge/_bWOWkqCKIrs7bOzwJbxGLfmetEfGCG6phCO8q4CqdY
[92.188.16.194]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML
2.0//EN">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

bensz · Jan 15, 2021, 6:42 PM

Hello,
I solved things with certbot, but now my problem is port 443 goes to pfsense webgui instead of my haproxy backend.
I don't understand why
Thanks

PiBa · Jan 15, 2021, 6:42 PM

@bensz
Webgui is still configured on :4433?
Is haproxy still the only service listening on :443 ?
Is haproxy configured to forward traffic to pfSense webgui with some backend, maybe a acl doesnt match properly and sends the traffic to that backend then?
Do you have a nat rule that points 443 traffic to the webgui port?

bensz · Jan 16, 2021, 7:56 AM

Hi,
Webgui is on port 4433
As I know haproxy is the only service listening 443
there's no backend to webgui. For the moment, I have 2 frontend 1 for port 80 and 1 for port 443. and 2 backend for rhe same reason.
I use a NAT rule for 443 but il's for my old server, and I disable it for test.
My new server (in a subdomain) and my old server (with NAT) use apache. And when I try to certificate with LE, the reply is a nginx server reply in 443. As I don't have any nginx server, I suppose it's the webgui which is served by Nginx.

Thanks

Here my haprowy.cfg if that can help
haproxy.txt

PiBa · Jan 16, 2021, 4:08 PM

@bensz said in problem configuring HAproxy with subdomains:

the reply is a nginx server reply in 443

That might be, but the pfSense webgui does not seem the send the <!DOCTYPE HTML PUBLIC which the certbot error shows, so if it is nginx then its a different nginx server than that running on pfSense.. i doubt its finding its way to the webgui.. your Apache server however does send that doctype when requested for a page that does not exist.. I think the certbot>letsencrypt request does properly land on the Apache server but maybe the token file was just not placed in the correct subfolder?

bensz · Jan 17, 2021, 8:39 AM

You're right, I delete certbot and install a selfsignated certificate. That works correctly. The problem come from LE. As the server is empty, I will reinstall it.
Thank you for your help
Benoit