Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
18.7 Legacy Series
»
Haproxy and Letsencrpyt integration [solved]
« previous
next »
Print
Pages: [
1
]
Author
Topic: Haproxy and Letsencrpyt integration [solved] (Read 5561 times)
ruggerio
Sr. Member
Posts: 295
Karma: 11
Haproxy and Letsencrpyt integration [solved]
«
on:
December 08, 2018, 04:01:51 pm »
Hi,
i installed haproxy and the le-plugin according to the documenation. i have now 2 things:
1) calling my website from the internet brings me a certificate error. this is, i think, according to the fact, that i cannot install a le-certificate for haproxy
2) trying to have a certificate from le, just ends up in status '202' after acknowleding token and nonce and what else..
I installed the le-plugin with the ha-integration, leaving all to standard, but i cannot ge le certifying my haproxy.
and btw.: which firewall-rules do i have to set to have haproxy as a reverseproxy for my webserver? is a rule (allow from wan to this firewall, port 80 and 443) enough? Portforwarding does not work in that case.
«
Last Edit: December 12, 2018, 02:29:09 pm by ruggerio
»
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Haproxy and Letsencrpyt integration
«
Reply #1 on:
December 08, 2018, 05:57:16 pm »
It is probably the same as in nginx: You need to request a certificate using the acme.sh plugin via the production version of Let's Encrypt and not the testing version. Then you have to select the certificate to use it for the reverse proxy or server and then reconfigure / restart it.
Logged
ruggerio
Sr. Member
Posts: 295
Karma: 11
Re: Haproxy and Letsencrpyt integration
«
Reply #2 on:
December 10, 2018, 10:22:53 am »
i am back on prod 18.7.8 and installed acme via extensions. Isn't there just the production version?
Or do you mean to execute the acme.sh via ssh directly and not via webinterface?
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Haproxy and Letsencrpyt integration
«
Reply #3 on:
December 10, 2018, 10:25:40 pm »
you can switch between test and production certificates in the GUI. The plugin can create both.
Logged
ruggerio
Sr. Member
Posts: 295
Karma: 11
Re: Haproxy and Letsencrpyt integration
«
Reply #4 on:
December 11, 2018, 07:51:24 am »
the howto for the haproxy is quite old. The printscreens do not show the tabs used now, this can be very irritating.
Where can i switch between test and prod?
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Haproxy and Letsencrpyt integration
«
Reply #5 on:
December 11, 2018, 06:22:25 pm »
See the screenshot attached
Logged
ruggerio
Sr. Member
Posts: 295
Karma: 11
Re: Haproxy and Letsencrpyt integration
«
Reply #6 on:
December 12, 2018, 08:33:00 am »
*grumpy* i just get 400 and no cert
i think i reinstall everything on letsencrypt and haproxy for this. It did not create a public frontend, whilst installing le.
Logged
simonszu
Newbie
Posts: 17
Karma: 1
Re: Haproxy and Letsencrpyt integration
«
Reply #7 on:
December 12, 2018, 01:01:59 pm »
I have a similar setup, so i'll describe what i did:
- Create a LE account. The values are up to you, just use an existing email address.
- Specify a validation method. For DNS validation you need to install the additional acme-validation package.
- Go to settings, enable the plugin and select "Production environment" as the environment, and enable HAPRoxy integration
- Create certificate. Fill out the correct Common Name, and select your LE account and validation method. Wait until your certificate was created.
- Create a HTTPS frontend for HAproxy, let it listen on port 443, and set the type to "HTTP / HTTPS (SSL offloading) [default]". Select the LE certificate in "SSL Offloading".
There you go. I am unsure if the acme client will restart my HAproxy via "HAproxy integration", or if i need to specify a restart action manually for certificate renewal, but at least this results in HAproxy doing SSL offloading with the LE certificate.
If you still get a cert error in your browser, inspect the cert. Is it signed by LE staging or production? Is the cert's common name matching the host part of the URL you are trying to access?
Logged
ruggerio
Sr. Member
Posts: 295
Karma: 11
Re: Haproxy and Letsencrpyt integration
«
Reply #8 on:
December 12, 2018, 02:20:37 pm »
Thanks all for your help.
The last thing was a error in the frontend. The listening adress had to be my WAN-IP.
Thats grumpy too, as i have ddns running. So i have to change the ip manually each time if it changes.
Logged
ruggerio
Sr. Member
Posts: 295
Karma: 11
Re: Haproxy and Letsencrpyt integration [solved]
«
Reply #9 on:
December 12, 2018, 02:30:26 pm »
OK, simple, removed my domain (domain.net) from dnsmasq and just let this resolve by ddns. entered domain.net:80 and domain.net in all my haproxy-frontends and recreated the certificate - works.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
18.7 Legacy Series
»
Haproxy and Letsencrpyt integration [solved]