Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
22.7 Legacy Series
»
NGINX, HAPROXY - HTTP-Challenge and 404
« previous
next »
Print
Pages: [
1
]
Author
Topic: NGINX, HAPROXY - HTTP-Challenge and 404 (Read 1405 times)
itngo
Full Member
Posts: 114
Karma: 4
NGINX, HAPROXY - HTTP-Challenge and 404
«
on:
December 19, 2022, 01:34:27 pm »
Hello again,
if have still some Problems with Certificate-Renewal and Let'sEncrypt ACME.
We have to use HTTP-Challenge for 3 or 4 Domains cause no DNS-Support/Control for them.
We use HAPROXY and have enabled Option in ACME-Plugin to support HAPROXY, Firewall-Rule PORT 80 is also in place. HAPROXY is listening only on specific IPs as there is also an NGINX installed on the Opnsense for some Sites.
ACME is in Debug-Mode so files etc, stay after renewal/failure for testing.
When I run CURL curl
http://REMOVED/.well-cme-challenge/SECRETCHALLENGE
it gives the correct result. So I guess HAPROXY does know what to do?
However, when I do the same from Public Internet I just get an "404 Not Found", which leads me to "Port is Open" but HAPROXY does not know what to do in that case with the request?
What I am missing here?
Additional, turned on detailed logging on frontend and get:
0.0.0.0:39209 [19/Dec/2022:13:43:12.087] Webserver_HTTP acme_challenge_backend/acme_challenge_host 0/0/0/0/0 200 269 - - ---- 17/1/0/0/0 0/0 "GET /.well-known/acme-challenge/removed HTTP/1.1"
So it look like, the ACME backend does get the file but Let's Encrypt-Server respond with "400".
«
Last Edit: December 19, 2022, 01:44:50 pm by itngo
»
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: NGINX, HAPROXY - HTTP-Challenge and 404
«
Reply #1 on:
December 19, 2022, 07:51:20 pm »
Hi
is it possible to send the name of the site in a pm?
Logged
itngo
Full Member
Posts: 114
Karma: 4
Re: NGINX, HAPROXY - HTTP-Challenge and 404
«
Reply #2 on:
December 19, 2022, 08:26:14 pm »
Just did... Thx
Logged
itngo
Full Member
Posts: 114
Karma: 4
Re: NGINX, HAPROXY - HTTP-Challenge and 404
«
Reply #3 on:
December 20, 2022, 02:01:47 pm »
To finalize this... it is working again with "HTTP-01"-Challenge,...
we use
https://www.abuseipdb.com
with a confidence-level of 25%, which leads to a Table of around 450k IP-Adresses which we block in our opnSense, cause every IP had several complaints from AbuseDBip-Community. After lowering this to around 60% confidence, renewal is working again....
Last question, if it is possible to see in any log, that something has been blocked cause of URL-Table-Entry?
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: NGINX, HAPROXY - HTTP-Challenge and 404
«
Reply #4 on:
December 20, 2022, 02:21:58 pm »
Hi!
glad it works )
Quote
if it is possible to see in any log, that something has been blocked cause of URL-Table-Entry?
pf logs rule number only. so we can only rely on the rule number in the plain log (and the rule number can change over time when changing the pf configuration) or the rule description in the live log.
ps. for future references. nice point to start LE issues debug:
https://letsdebug.net/
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
22.7 Legacy Series
»
NGINX, HAPROXY - HTTP-Challenge and 404
