Let's Encrypt and haproxy

[pingus]

Hi

I'm tesing OPNsense with haproxy and Let's Encrypt but it will not issue a certificate because the path is not found (http based).

It is not fully clear to me what Let's Encrypt is doing in http based issuing. Do it stop any web services on the firewall itself and then start it's own webservice to provide the necessary web path? If so, does it also stop the haproxy or is this not necessary?

Or, does it need the web server the certificate is for? Makes no sense to me because OPNsense is not able to write into the backend webservers http directory.

Many thanks for the clarification.

[dragon2611]

Either the challange file needs to exist on the backend server or HAproxy would need to divert the folder LE uses to another directory hosting the challenge response file

[franco]

Hi guys,

The author of the LE and HAproxy plugin was hard at work to provide full integration between both plugins (LE -> HAproxy really). It is scheduled for release with OPNsense 17.1.1 on Thursday.


Cheers,
Franco

[fraenki]

I've added some screenshots to the PR to demonstrate the upcoming HAProxy integration:
https://github.com/opnsense/plugins/pull/71

When enabled it will automatically add the required configuration to HAProxy (backend, server and action/ACL for acme challenge detection/redirection) and restart HAProxy if required. (The acme challenges will be served by a tiny webserver running on OPNsense.)


Regards
- Frank

[pingus]

Wow, what a great community and fast developers! I guess i should stay with opnsense