OPNsense Forum

Archive => 22.7 Legacy Series => Topic started by: itngo on December 19, 2022, 01:34:27 pm

Title: NGINX, HAPROXY - HTTP-Challenge and 404
Post by: itngo on December 19, 2022, 01:34:27 pm

Hello again,

if have still some Problems with Certificate-Renewal and Let'sEncrypt ACME.

We have to use HTTP-Challenge for 3 or 4 Domains cause no DNS-Support/Control for them.

We use HAPROXY and have enabled Option in ACME-Plugin to support HAPROXY, Firewall-Rule PORT 80 is also in place. HAPROXY is listening only on specific IPs as there is also an NGINX installed on the Opnsense for some Sites.

ACME is in Debug-Mode so files etc, stay after renewal/failure for testing.

When I run CURL curl http://REMOVED/.well-cme-challenge/SECRETCHALLENGE it gives the correct result. So I guess HAPROXY does know what to do?

However, when I do the same from Public Internet I just get an "404 Not Found", which leads me to "Port is Open" but HAPROXY does not know what to do in that case with the request?

What I am missing here?

Additional, turned on detailed logging on frontend and get:

0.0.0.0:39209 [19/Dec/2022:13:43:12.087] Webserver_HTTP acme_challenge_backend/acme_challenge_host 0/0/0/0/0 200 269 - - ---- 17/1/0/0/0 0/0 "GET /.well-known/acme-challenge/removed HTTP/1.1"

So it look like, the ACME backend does get the file but Let's Encrypt-Server respond with "400".

Title: Re: NGINX, HAPROXY - HTTP-Challenge and 404
Post by: Fright on December 19, 2022, 07:51:20 pm

Hi
is it possible to send the name of the site in a pm?

Title: Re: NGINX, HAPROXY - HTTP-Challenge and 404
Post by: itngo on December 19, 2022, 08:26:14 pm

Just did... Thx

Title: Re: NGINX, HAPROXY - HTTP-Challenge and 404
Post by: itngo on December 20, 2022, 02:01:47 pm

To finalize this... it is working again with "HTTP-01"-Challenge,...

we use https://www.abuseipdb.com with a confidence-level of 25%, which leads to a Table of around 450k IP-Adresses which we block in our opnSense, cause every IP had several complaints from AbuseDBip-Community. After lowering this to around 60% confidence, renewal is working again....

Last question, if it is possible to see in any log, that something has been blocked cause of URL-Table-Entry?

Title: Re: NGINX, HAPROXY - HTTP-Challenge and 404
Post by: Fright on December 20, 2022, 02:21:58 pm

Hi!
glad it works )

Quote

if it is possible to see in any log, that something has been blocked cause of URL-Table-Entry?

pf logs rule number only. so we can only rely on the rule number in the plain log (and the rule number can change over time when changing the pf configuration) or the rule description in the live log.

ps. for future references. nice point to start LE issues debug: https://letsdebug.net/