Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

[bobboviking]

Hi, my setup is an Odroid with OpnSense and docker containers running on a Synology nas behind the OpnSense box. I have setup reverse proxy using this guide and everything works just fine on my PC, I can access my containers using reverse proxy (using synology.me).

However, I can't access any reverse proxies on phones (tried on both Android and iPhone). I can't find any help anywhere in any forum. Any chance anyone could guide me?

Please let me know if it helps if upload any configuration.

Thanks in advance!

BR,
Andreas

[sizzling~snitch]

Has anyone using this setup started to see failures in the LE Cert renewals DNS?

Looks like starting two weeks ago I started getting failures on all my ACME renewals that have been working for a year or more. I am not in a place right now to share log info but what I was seeing from debug log level 2 is that the TXT record set but when checks against LE with ACME it says the TXT record is not the expected one.

Ill drop more later.

[le_top]

On multiple occasions I've been observing that even thought a certificate has been renewed, the previous version is still being serviced.
I then manually trigger the HAProxy restart action directly from the "Run automations" symbol under Services>ACME Client>Certificates>Certificate Entry>Commands .
The certificate being served then becomes correct, but some time later I get the old one back.

I now find that 2 certificates listed as "Update Certificates" under Services>HAProxy>Maintenance>SSL Certificates.
There is an entry for 1_HTTPS_frontend and on that line under Commands, an "Apply Changes" icon is available.
Clicking that and confirming the operation also gets rid of the use of the old certificate.  Hopefully this stays permanent, now I only need to find a way to automate this after a certificate renewal as restarting the HAProxy does not seem to permanently affect this.

EDIT:
It is possible to create another automation (Service>ACME>Automations) for this.  When selecting "System or Plugin Command" under "Run command", "Sync SSL certificate changes into running HAProxy service" can be selected as a system command.  I think this is the permanent fix.

EDIT2:
Tested the automation on a 2nd setup where 5 was shown under "Update certificates".  Running the automations that now include the sync commande made that go away ;-).

[pottproll]

But you might be able to pull some tricks with inbound NAT port forwarding etc.

In case someone wonders: it works pretty well with selfsigned cert for internal traffic and forwarded the needed ports to jitsi.

[sizzling~snitch]

Hello All!
A question for others who use this setup. Has anyone had the need to do a pathing setup on a single domain?

i.e. domain.com & domain.com/api/v1 point to two different backend servers? I came across https://www.haproxy.com/blog/path-based-routing-with-haproxy and was playing around in OPNSense HAProxy with Conditons and Rules but when I added the api backend rule into the main domain backend rules at the bottom I got the Warning "use_backend' ignored because backend 'TESTCom_backend' has no frontend capability." so kinda at a loss tonight and thought I would post here while giving my brain a break :D

[NW4FUN]

Hello,

I've been searching both the forum and Google and I cannot find an answer, hence me posting here.

How can I redirect root domain to www? Meaning example.com pointing to www.example.com

Enriching else works as it should but for the life of me I cannot make this simple redirection working!!

[charlesnasi]

Hello all,

Great tutorial and really happy to have this setup running for more than a year. I am struggling with something I want to fix, and red a lot about what I want, but don't know where to start. More people in this topic are facing this and I am sanding in the 'complexity' of all configuration settings in HAProxy.

I have NextCloud running as internal service for webdav/caldav services over HTTPS, port 443. Running perfectly from external: signed wildcard-LE cert to subdomain. From WireGuard VPN to internal (followed OPNSense official tutorial) I can perfectly go to my subdomain with LE cert and can access my internal network. From my internal network itself, I get the self-signed certificate. I want my internal service available with an external signed certificate over my subdomain.

Is it possible to go from internal network to 'external', So I don't have to struggle with self signed certificates? And where do I have to start? There are lots of information around, but (Dutch proverb) I can't see the forest for the trees.

[NW4FUN]

Hello,

I've been searching both the forum and Google and I cannot find an answer, hence me posting here.

How can I redirect root domain to www? Meaning example.com pointing to www.example.com

Enriching else works as it should but for the life of me I cannot make this simple redirection working!!

Any clue anyone?

[par4]

Had an issue with the step where trying to forcefully issue the test and production certificate.

Seems that I am having the best of luck. The OSCP stapling just got deprecated at Lets Encrypt 5 days ago.

Resulting in:

Code Select Expand

AcmeClient: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --issue --syslog 9 --debug 3 --server 'letsencrypt_test' --dns 'dns_desec' --dnssleep '240' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/redacted.02853966' --certpath '/var/etc/acme-client/certs/redacted.02853966/cert.pem' --keypath '/var/etc/acme-client/keys/redacted.02853966/private.key' --capath '/var/etc/acme-client/certs/redacted.02853966/chain.pem' --fullchainpath '/var/etc/acme-client/certs/redacted.02853966/fullchain.pem' --domain '*.redacted.dedyn.io' --days '1' --force --ocsp --keylength 'ec-384' --accountconf '/var/etc/acme-client/accounts/redacted.79212996_stg/account.conf''
After turning debugging mode on it seems the following had happened:

Code Select Expand

"detail": "Error finalizing order :: OCSP must-staple extension is no longer available: see https://letsencrypt.org/2024/12/05/ending-ocsp",

Solution
Had to turn OSCP stapling off. (OSCP Must Staple setting in the certificate settings in the ACME client)