Haproxy and Letsencrpyt integration [solved]

[ruggerio]

Hi,

i installed haproxy and the le-plugin according to the documenation. i have now 2 things:

1) calling my website from the internet brings me a certificate error. this is, i think, according to the fact, that i cannot install a le-certificate for haproxy

2) trying to have a certificate from le, just ends up in status '202' after acknowleding token and nonce and what else..

I installed the le-plugin with the ha-integration, leaving all to standard, but i cannot ge le certifying my haproxy.

and btw.: which firewall-rules do i have to set to have haproxy as a reverseproxy for my webserver? is a rule (allow from wan to this firewall, port 80 and 443) enough? Portforwarding does not work in that case.

[fabian]

It is probably the same as in nginx: You need to request a certificate using the acme.sh plugin via the production version of Let's Encrypt and not the testing version. Then you have to select the certificate to use it for the reverse proxy or server and then reconfigure / restart it.

[ruggerio]

i am back on prod 18.7.8 and installed acme via extensions. Isn't there just the production version?

Or do you mean to execute the acme.sh via ssh directly and not via webinterface?

[fabian]

you can switch between test and production certificates in the GUI. The plugin can create both.

[ruggerio]

the howto for the haproxy is quite old. The printscreens do not show the tabs used now, this can be very irritating.

Where can i switch between test and prod?

[fabian]

See the screenshot attached

[ruggerio]

*grumpy* i just get 400 and no cert i think i reinstall everything on letsencrypt and haproxy for this. It did not create a public frontend, whilst installing le.

[simonszu]

I have a similar setup, so i'll describe what i did:

- Create a LE account. The values are up to you, just use an existing email address.
- Specify a validation method. For DNS validation you need to install the additional acme-validation package.
- Go to settings, enable the plugin and select "Production environment" as the environment, and enable HAPRoxy integration
- Create certificate. Fill out the correct Common Name, and select your LE account and validation method. Wait until your certificate was created.
- Create a HTTPS frontend for HAproxy, let it listen on port 443, and set the type to "HTTP / HTTPS (SSL offloading) [default]". Select the LE certificate in "SSL Offloading".

There you go. I am unsure if the acme client will restart my HAproxy via "HAproxy integration", or if i need to specify a restart action manually for certificate renewal, but at least this results in HAproxy doing SSL offloading with the LE certificate.

If you still get a cert error in your browser, inspect the cert. Is it signed by LE staging or production? Is the cert's common name matching the host part of the URL you are trying to access?

[ruggerio]

Thanks all for your help.

The last thing was a error in the frontend. The listening adress had to be my WAN-IP.

Thats grumpy too, as i have ddns running. So i have to change the ip manually each time if it changes.

[ruggerio]

OK, simple, removed my domain (domain.net) from dnsmasq and just let this resolve by ddns. entered domain.net:80 and domain.net in all my haproxy-frontends and recreated the certificate - works.