OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: ruggerio on December 08, 2018, 04:01:51 pm

Title: Haproxy and Letsencrpyt integration [solved]
Post by: ruggerio on December 08, 2018, 04:01:51 pm
Hi,

i installed haproxy and the le-plugin according to the documenation. i have now 2 things:

1) calling my website from the internet brings me a certificate error. this is, i think, according to the fact, that i cannot install a le-certificate for haproxy

2) trying to have a certificate from le, just ends up in status '202' after acknowleding token and nonce and what else..

I installed the le-plugin with the ha-integration, leaving all to standard, but i cannot ge le certifying my haproxy.

and btw.: which firewall-rules do i have to set to have haproxy as a reverseproxy for my webserver? is a rule (allow from wan to this firewall, port 80 and 443) enough? Portforwarding does not work in that case.
Title: Re: Haproxy and Letsencrpyt integration
Post by: fabian on December 08, 2018, 05:57:16 pm
It is probably the same as in nginx: You need to request a certificate using the acme.sh plugin via the production version of Let's Encrypt and not the testing version. Then you have to select the certificate to use it for the reverse proxy or server and then reconfigure / restart it.
Title: Re: Haproxy and Letsencrpyt integration
Post by: ruggerio on December 10, 2018, 10:22:53 am
i am back on prod 18.7.8 and installed acme via extensions. Isn't there just the production version?

Or do you mean to execute the acme.sh via ssh directly and not via webinterface?
Title: Re: Haproxy and Letsencrpyt integration
Post by: fabian on December 10, 2018, 10:25:40 pm
you can switch between test and production certificates in the GUI. The plugin can create both.
Title: Re: Haproxy and Letsencrpyt integration
Post by: ruggerio on December 11, 2018, 07:51:24 am
the howto for the haproxy is quite old. The printscreens do not show the tabs used now, this can be very irritating.

Where can i switch between test and prod?
Title: Re: Haproxy and Letsencrpyt integration
Post by: fabian on December 11, 2018, 06:22:25 pm
See the screenshot attached
Title: Re: Haproxy and Letsencrpyt integration
Post by: ruggerio on December 12, 2018, 08:33:00 am
*grumpy* i just get 400 and no cert :( i think i reinstall everything on letsencrypt and haproxy for this. It did not create a public frontend, whilst installing le.
Title: Re: Haproxy and Letsencrpyt integration
Post by: simonszu on December 12, 2018, 01:01:59 pm
I have a similar setup, so i'll describe what i did:

- Create a LE account. The values are up to you, just use an existing email address.
- Specify a validation method. For DNS validation you need to install the additional acme-validation package.
- Go to settings, enable the plugin and select "Production environment" as the environment, and enable HAPRoxy integration
- Create certificate. Fill out the correct Common Name, and select your LE account and validation method. Wait until your certificate was created.
- Create a HTTPS frontend for HAproxy, let it listen on port 443, and set the type to "HTTP / HTTPS (SSL offloading) [default]". Select the LE certificate in "SSL Offloading".

There you go. I am unsure if the acme client will restart my HAproxy via "HAproxy integration", or if i need to specify a restart action manually for certificate renewal, but at least this results in HAproxy doing SSL offloading with the LE certificate.

If you still get a cert error in your browser, inspect the cert. Is it signed by LE staging or production? Is the cert's common name matching the host part of the URL you are trying to access?
Title: Re: Haproxy and Letsencrpyt integration
Post by: ruggerio on December 12, 2018, 02:20:37 pm
Thanks all for your help.

The last thing was a error in the frontend. The listening adress had to be my WAN-IP.

Thats grumpy too, as i have ddns running. So i have to change the ip manually each time if it changes. :(
Title: Re: Haproxy and Letsencrpyt integration [solved]
Post by: ruggerio on December 12, 2018, 02:30:26 pm
OK, simple, removed my domain (domain.net) from dnsmasq and just let this resolve by ddns. entered domain.net:80 and domain.net in all my haproxy-frontends and recreated the certificate - works.