Haproxy / tls / renew not working


#1

hello, followed this guide:

everything worked perfectly the first time, but now it’s time to renew certificates, and that’s not working. Running:

# Renew the certificate

certbot renew --force-renewal --tls-sni-01-port=8888 --email="info@setsnc.com"

Concatenate new cert files, with less output (avoiding the use tee and its output to stdout)

bash -c “cat /etc/letsencrypt/live/games.setsnc.com/fullchain.pem /etc/letsencrypt/live/games.setsnc.com/privkey.pem > /etc/ssl/games.setsnc.com/games.setsnc.com.pem”

and getting:

Attempting to renew cert (games.setsnc.com) from /etc/letsencrypt/renewal/games.setsnc.com.conf produced an unexpected error: Failed authorization procedure. games.setsnc.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 57aaaf3ce05400f0a317969240e30340.1009688202afe5848871294e91b2c858.acme.invalid from 92.222.77.175:443. Received 2 certificate(s), first certificate had names “games.setsnc.com”. Skipping.

  • The following errors were reported by the server:

    Domain: games.setsnc.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    57aaaf3ce05400f0a317969240e30340.1009688202afe5848871294e91b2c858.acme.invalid
    from 92.222.77.175:443. Received 2 certificate(s), first
    certificate had names "games.setsnc.com

I don’t get why it’s trying to reach port 443, instead of 8888.
Any help?

thanks a lot


#2

Hi @giorg

tls-sni-01 - validation is deprecated. Support ends 2019-02-13:

So you should change your challenge. Use http-01 or dns-01 instead.

Add

--preferred-challenges http

Perhaps try first to create a test certificate (using --test-cert as option) if it works.


#3

Let’s Encrypt always accesses port 80 for HTTP validation or port 443 for TLS-ALPN (new) or TLS-SNI (deprecated) validation.

Certbot’s --http-01-port and --tls-sni-01-port options control what port it listens on, for when you have port forwarding or some other proxy – in this case, HAProxy – rerouting the port 80 or 443 traffic to a different port.

(Certbot doesn’t implement TLS-ALPN.)


I think there’s a mistake in the tutorial. Most of it is about using HTTP validation, and then it says one thing about TLS-SNI validation, even though it can’t possibly work.

What software is actually listening on ports 80 and 443?

Can you post /etc/letsencrypt/renewal/games.setsnc.com.conf?

I think you should probably switch to HTTP validation – doubly so since TLS-SNI is being phased out. It might Just Work with your current setup, or you might have to adjust some things.

Are you using Ubuntu 16.04?

How did you install Certbot?

What command did you use to create the certificate originally?

Can you post the HAProxy configuration?


How that tutorial sets up renewal is problematic. As it says, we recommend running “certbot renew” twice a day (letting it renew when necessary) instead of once a month (forcing renewal twice as often as recommended, but only giving you one retry if it fails).

That’s mostly a matter of personal preference, but it’s very problematic to force renewal exactly at midnight on the first of the month, causing Let’s Encrypt to get a spike in requests from all sorts of different clients configured the same way.

The default Certbot systemd timer runs at a random time of the day to smooth things out. (As does the default cron job, which isn’t used on Ubuntu 16.04.)

Also, the --email argument doesn’t do anything, since you’re not registering a new account when renewing.

Aside from everything else, you should get rid of the custom cron job, and – depending on how you installed Certbot – rely on the normal systemd timer or cron job, or set up your own more typical cron job.

You can create the .pem file and reload HAProxy using a Certbot deploy hook, but the best way do that depends on what version of Certbot you’re using, how it was installed, perhaps how it’s configured, and what timer or cron job you’re using to automate renewal.


#4

hi, thanks for your answers. I’m using ubuntu 18, I did install certbot this way:

sudo add-apt-repository -y ppa:certbot/certbot
sudo apt-get update
sudo apt-get install -y certbot

and this is my haproxy cfg:

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
#  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

maxconn 2048
tune.ssl.default-dh-param 2048

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
option forwardfor
option http-server-close
stats enable
stats uri /stats
stats realm Haproxy\ Statistics
stats auth giorg:d10can3

frontend fe-scalinglaravel
bind *:80
bind *:443 ssl crt /etc/ssl/games.setsnc.com/games.setsnc.com.pem crt /etc/ssl/phpmyadmin.setsnc.com/phpmyadmin.setsnc.com.pem crt /etc/ssl/isabella-lega.eu/isabella-lega.eu.pem
# Test URI to see if its a letsencrypt request
# se la uri contiene /.well-known/acme-challenge/ allora letsencrypt-acl diventa true, altrimenti è false
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
# se letsencrypt-acl è true usa il backend letsencrypt-backend
use_backend letsencrypt-backend if letsencrypt-acl

# Redirect if HTTPS is *not* used
redirect scheme https code 301 if !{ ssl_fc }

default_backend be-scalinglaravel

acl isalega hdr(host) -i isabella-lega.eu
acl games hdr(host) -i games.setsnc.com
acl myadmin hdr(host) -i phpmyadmin.setsnc.com

use_backend bellito if isalega
use_backend be-scalinglaravel if games
use_backend be-scalinglaravel if myadmin

backend bellito
mode http
server bellito 10.117.227.250:80 check

LE Backend

backend letsencrypt-backend
server letsencrypt 127.0.0.1:8888

Normal (default) Backend

for web app servers

backend be-scalinglaravel
# traffico rediretto su https
redirect scheme https if !{ ssl_fc }
server server1 10.117.227.80:80 check

frontend ssh-in
bind *:222
default_backend ssh
timeout client 1h
mode tcp

backend ssh
mode tcp
server server1 10.117.227.80:22

frontend ssh-isa
bind *:2222
default_backend sshisa
timeout client 1h
mode tcp

backend sshisa
mode tcp
server myisa 10.117.227.250:22

thanks a lot


#5

It probably doesn’t matter, but are you using 18.04 or 18.10?


#6

Hello,
I’m using 18.04

thanks


#7

sorry, forgot to attach renewal conf file:

# renew_before_expiry = 30 days
version = 0.26.1
archive_dir = /etc/letsencrypt/archive/games.setsnc.com
cert = /etc/letsencrypt/live/games.setsnc.com/cert.pem
privkey = /etc/letsencrypt/live/games.setsnc.com/privkey.pem
chain = /etc/letsencrypt/live/games.setsnc.com/chain.pem
fullchain = /etc/letsencrypt/live/games.setsnc.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = df8f80ab3b873e67754743ff473c18ee
#http01_port = 8888
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
tls_sni_01_port = 8888

thanks