Archive > 19.7 Legacy Series

HAProxy and Let's Encrypt stopped working when I switched to Production (LE)

(1/2) > >>

aschaapherder:
Let me sketch the situtation in the hope that someone has an idea or can point me in the right direction.

I have used Apache as reverse proxy with LE certificates for quite some time for several internally running websites. In an effort to make things less dependent on each other (reverse proxy was running on one of my websites) I decided to move the reverse proxy functionality to a separate machine running OPNsense. Note that OPNsense is running internally (LAN only) and provides DNS/DHCP and time services internally.

I setup HAProxy with Let's Encrypt as per this https://blog.bagro.se/lets-encrypt-with-haproxy-on-opnsense/. HAProxy is running fine and I initially configured a multi-domain certificate against te LE staging environment. Worked fine. But when I switched to the Production environment all I got was validation errors. Log shows

--- Code: ---detail": "KeyID header contained an invalid account URL: \"https://acme-v02.api.letsencrypt.org/acme/acct/123456789\"
--- End code ---
(obviously that is not my account number).

No matter what I changed, different account, staging to prod etc, create new certificates for the separate domains instead of a multi domain cert, I always get this error.

Should I wipe the setup and start clean (I did this already once but did not properly record all the steps) and if so, is there a place a should delete the files?

I have searched for many things, starting with opnsense - haproxy - lets encrypt - error but even if I widen the search I don't get much useful info.

Any pointers and/or suggestions are welcome, even pointing me to different solutions (preferably on OPNsense); I want a working reverse proxy with LE certs.

fabian:
The problem is in the acme plugin so switching the reverse proxy will not help. You can try to run the acme commands directly on CLI to generate a valid cert.

aschaapherder:
Thanks! Happy to try that. Looking at the response of acme.sh ... Any suggestions where I can find how acme.sh is started from the plugin? In other words how the request is constructed? Can I learn that from the plugin?

I increased the log level of the LE plugin as well but that does not show me the commandline structure.

fabian:
Just look at the config commands - they should contain most information how things are invoked.

aschaapherder:
Thanks  :)

I did that of course. But sorting out how to invoke + sort out where the various files are stored is in interesting but time consuming exercise so I was looking for a shortcut. Can you point me at where the Let's Encrypt/acme.sh plugin is stored? I can probably pick up the details from that.

Navigation

[0] Message Index

[#] Next page