HAproxy from selfssl to let's encrypt


#1

Hello all together,

until now I use HAproxy with selfsigned certs by openssl,to publish my internal sites by HAproxy.
All Sites are on different machines and HAproxy is only the reverse proxy.
Everything works fine, but the users must accept the self signed certs.
Now I want to change to let’s encrypt.

I installed let’s encrypt (certbot-0.14.1-3.fc25.noarch by dnf) and it works on o machine with Fedora 25.

Now my Problem begins, when is started this to get my first cert for 3 of my domains…

“sudo certbot certonly --webroot -w /etc/haproxy/ssl/WebSvrSSL-Cert_wildcard.my-domain.de_LetsEncrypt/ -d webmail.intern.my-domain.de -d activesync.intern.my-domain.de -d oc71.intern.my-domain.de

… an this is the result…

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel):my.name@my-domain.de
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
An unexpected error occurred:
ConnectionError: HTTPSConnectionPool(host=‘acme-v01.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(’<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7f17daff3610>: Failed to establish a new connection: [Errno 101] Network is unreachable’,))
Please see the logfiles in /var/log/letsencrypt for more details.

… when you access my HAproxy the URL is checked and forwarded to the internal target machine with the site und the subdirectory in the url.
Every site has a special subdirectory.
When the url is unknown and unknown subdirectory there is a forward to my external homepage.

Can someone help?


#2

Hi @RiederS,

The problem here is with an outbound connection to the CA, rather than an inbound connection to your server. The client is indicating that it is unable to make an outbound connection to https://acme-v01.api.letsencrypt.org/directory, which is required for certificate issuance.


#3

That’s it!!! Thanks a lot!


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.