Create certificat with Haproxy in frontend?

Hello,

my actual configuration is like that :

Front : Haproxy in SSL HTTPS (port 80 closed)
Back : 4 Debian server (Jira, confluence, bitwarden, owncloud)

Actually, my DNS name is updated by Synology (xxx.synology.me) , i have an access to each server in that
https://xxx.synology.me/jira - /confluence
the root https://xxx.synology.me/ is for owncloud

I create a domain name to OVH (DNS provider) and updated my ip address to the domain but when i try to create the certificate, i have the following problem :

/opt/letsencrypt/letsencrypt-auto certonly --rsa-key-size 4096 --standalone -d nas.xxx.be
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for glpi.protech-pc.be
Waiting for verification…
Challenge failed for domain nas.xxx.be
http-01 challenge for nas.xxx.be
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

Is it possible it’s because the port 80 is blocked? Otherelse? Thank you for you help :slight_smile:

1 Like

It's evidently not blocked, because Let's Encrypt reported that it managed to get a 404 from your domain on port 80.

Sharing your real domain would make giving you advice easier, though.

Generally what you do is create a backend in haproxy which represents the Certbot standalone server:

backend certbot
        mode http
        server certbot_standalone 127.0.0.1:402

Then, in your port 80 frontend you route requests to it:

use_backend certbot if { path_beg /.well-known/acme-challenge/ }

Finally, to issue the certificate (note the port 402 matches the port of the Certbot backend):

certbot certonly --standalone --http-01-port 402 -d example.org
3 Likes

Thank for your reply ! I executed the script from the haproxy server, if i understand well, i need to redirect the traffic to another server using the haproxy as you explain, right? I need to execue the generation of the script in backend, right? Not on the proxy.

1 Like

The idea is to run Certbot on the same server as haproxy.

When Certbot runs, it will listen on port 402.

When haproxy sees Let’s Encrypt validation requests coming on port 80, it sends them to Certbot over port 402.

haproxy proxies the requests to Certbot. Everything runs on the same server.

2 Likes

Hello,
i have now the error DNS problem: NXDOMAIN looking up A for

root@PTC-DEB-5:/opt/letsencrypt/acme# /opt/letsencrypt/letsencrypt-auto certonly --rsa-key-size 4096 --standalone --http-01-port 402 -d nas.protech-b

e.be
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nas.protech-be.be
Waiting for verification…
Challenge failed for domain nas.protech-be.be
http-01 challenge for nas.protech-be.be
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: nas.protech-be.be
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up A for nas.protech-be.

I redirect port 80 and 402 to the proxy and executed this command on the proxy…

protech-be.be doesn’t seem to be a registered domain.

(And protech-be isn’t an existing TLD.)

Is there a typo or something?

I do it differently. I installed certbot

apt-get install python-cerbot-apache

and exec

certbot --apache

I was able to open my port 80 (i had a problem with my router before). Solved !

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.