Haproxy certbot renewal

Help
1

My domain is:
dev.globalnetguide.com
Among others in the haproxy.cfg file (All are having this issue)

I ran this command:
certbot renew

It produced this output: (The same error for all domains)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/dev.globalnetguide.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dev.globalnetguide.com
Waiting for verification...
Challenge failed for domain dev.globalnetguide.com
http-01 challenge for dev.globalnetguide.com
Cleaning up challenges
Attempting to renew cert (dev.globalnetguide.com) from /etc/letsencrypt/renewal/dev.globalnetguide.com.conf produced an unexpected error: Some challenges have failed.. Skipping.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: dev.globalnetguide.com
   Type:   unauthorized
   Detail: The key authorization file from the server did not match
   this challenge
   "-jkWA4yO67saIBvjYMTbHbbFwI2oElMKs0FeNsXhT-0.WJ-e61Q91OD4Y1v4NHUsm-khLIGn_2NKOvhLmbv-ksY"
   
!= "<html>\n<header><title>GNG</title></header>\n<body>\n<h1>Site
   Coming Soon! WWW1</h1>\n</body>\n</html>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
HAproxy front loading SSL
Apache is running on backend web servers

The operating system my web server runs on is (include version):
Ubuntu 20.04

My hosting provider, if applicable, is:
Self hosted on physical server

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

Additional notes:
The way I can manually renew the certs is by stopping HAproxy and then running the following command. This does work.

certbot certonly --standalone --preferred-challenges http --http-01-port 80 -d dev.globalnetguide.com
cd /etc/letsencrypt/live/dev.globalnetguide.com

I would rather have all of the certs auto renew with the following two shell scirpts:
prepareLetsEncryptCertificates.sh

#!/bin/bash

# Loop through all Let's Encrypt certificates
for CERTIFICATE in `find /etc/letsencrypt/live/* -type d`; do

  CERTIFICATE=`basename $CERTIFICATE`

  # Combine certificate and private key to single file
  cat /etc/letsencrypt/live/$CERTIFICATE/fullchain.pem /etc/letsencrypt/live/$CERTIFICATE/privkey.pem > /etc/haproxy/ssl/$CERTIFICATE.pem

done

AND

renewLetsEncryptCertificates.sh

#!/bin/bash
certbot renew --standalone --preferred-challenges http --http-01-address 127.0.0.1 --http-01-port 9080 --post-hook "/etc/haproxy/prepareLetsEncryptCertificates.sh && systemctl reload haproxy.service" –quiet

When I run the script manually when HAproxy is running, I get the following errors

Challenge failed for domain dev.globalnetguide.com
Attempting to renew cert (dev.globalnetguide.com) from /etc/letsencrypt/renewal/dev.globalnetguide.com.conf produced an unexpected error: Some challenges have failed.. Skipping.

Here is my haproxy.cfg file contents (some areas removed or condensed for space)

global
*removed for space*

defaults
*removed for space*

# Statistic Site
*removed for space*

# Frontend configuration for HTTP
frontend frontend-http
    bind :80
    bind :::80
    mode http

    # Redirect to https
    redirect location https://willchilders.com code 301 if { hdr(Host) -i willchilders.com www.willchilders.com } !{ ssl_fc }
    redirect location https://socialtie.com code 301 if { hdr(Host) -i socialtie.com www.socialtie.com } !{ ssl_fc }
    redirect location https://stopforlife.org code 301 if { hdr(Host) -i stopforlife.org www.stopforlife.org } !{ ssl_fc }
    redirect location https://justda.com code 301 if { hdr(Host) -i justda.com www.justda.com } !{ ssl_fc }
    redirect location https://dev.globalnetguide.com code 301 if { hdr(Host) -i dev.globalnetguide.com } !{ ssl_fc }

    # ACL for detecting Let's Encrypt SSL Installation
    acl is_certbot path_beg /.well-known/acme-challenge/
    use_backend backend-certbot if is_certbot

    default_backend backend-web

# Frontend configuration for HTTPS
frontend frontend-https
    # ACL for detecting Let's Encrypt validation requests cert renewals
    acl is_certbot path_beg /.well-known/acme-challenge/ 
    use_backend backend-certbot if is_certbot

    # Redirect www to root
    redirect prefix https://willchilders.com code 301 if { hdr(host) -i www.willchilders.com }
    redirect prefix https://socialtie.com code 301 if { hdr(host) -i www.socialtie.com }
    redirect prefix https://stopforlife.org code 301 if { hdr(host) -i www.stopforlife.org }
    redirect prefix https://justda.com code 301 if { hdr(host) -i www.justda.com }

    # Load SSL Certs
    bind :443 ssl crt /etc/haproxy/ssl/
    bind :::443 ssl crt /etc/haproxy/ssl/
    mode http

    # ACL and map to backend servers
    acl wc_fe hdr(host) -i willchilders.com
    use_backend wc_be if wc_fe
    acl st_fe hdr(host) -i socialtie.com
    use_backend st_be if st_fe
    acl sfl_fe hdr(host) -i stopforlife.org
    use_backend sfl_be if sfl_fe
    acl jda_fe hdr(host) -i justda.com
    use_backend jda_be if jda_fe
    acl gng_fe hdr(host) -i dev.globalnetguide.com
    use_backend gng_be if gng_fe

    default_backend backend-web

# All backend configs are removed for space except for Certbot

# Certbot backend
# Contains certbot stand-alone webserver
backend backend-certbot
    mode http	
    server certbot 127.0.0.1:9080

Here is the content of the following file:
/etc/letsencrypt/renewal/dev.globalnetguide.com.conf

# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/dev.globalnetguide.com
cert = /etc/letsencrypt/live/dev.globalnetguide.com/cert.pem
privkey = /etc/letsencrypt/live/dev.globalnetguide.com/privkey.pem
chain = /etc/letsencrypt/live/dev.globalnetguide.com/chain.pem
fullchain = /etc/letsencrypt/live/dev.globalnetguide.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = hiding_this_not_sure_I_need_to
http01_port = 9080
http01_address = 127.0.0.1
pref_challs = http-01,
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory

It appears from the errors that the certbot webserver is not getting the request and it's going directly to the site. I can't figure out how to fix the haproxy.cfg in order to make it work. Any help or direction would be greatly appreciated.

1 Like
2

The HTTP-to-HTTPS redirect in your haproxy config, is stripping the URL.

http://dev.globalnetguide.com/.well-known/acme-challenge/xyz gets redirected to https://dev.globalnetguide.com/. Let's Encrypt follows that redirect and ends up at the home page of your website.

Change the redirects to preserve the full request URL, and things should work again.

Alternatively, move the Certbot ACL in the port 80 frontend, to take priority over the redirects.

Hope that helps!

3 Likes
3

You are the boss! Moving the Certbot ACL in front of the redirects did not work for me but changing the redirects did. I changed them to the following:

redirect scheme https if { hdr(Host) -i willchilders.com www.willchilders.com }
redirect scheme https if { hdr(Host) -i socialtie.com www.socialtie.com }
redirect scheme https if { hdr(Host) -i stopforlife.org www.stopforlife.org }
redirect scheme https if { hdr(Host) -i justda.com www.justda.com }
redirect scheme https if { hdr(Host) -i dev.globalnetguide.com }

Thank you so much!!

1 Like
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.