Help automatically renew certs with haproxy


#1

Hello, I’m trying to renew my certs using this command:
sudo certbot certonly --dry-run --agree-tos --renew-by-default --standalone --preferred-challenges http-01 --http-01-port 54321 -d my.com -d www.my.com

But I get the following error:
Failed authorization procedure. my.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to my.com, www.my.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to www.my.com

As you can see I’m using --http-01-port 54321 and I’ve configured haproxy like this:

frontend http
  bind 0.0.0.0:80

  reqadd X-Forwarded-Proto:\ http

  acl letsencrypt-request path_beg /.well-known/acme-challenge/
  use_backend letsencrypt if letsencrypt-request

  redirect scheme https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge }

  default_backend letsencrypt

frontend https
  bind 0.0.0.0:443 ssl ...

backend letsencrypt
  server letsencrypt 127.0.0.1:54321

I hope someone can help me figure out whats going on.

Thanks


#2

Can you see (e.g. maybe in logs) whether the HTTP connections come through to your haproxy at all ?

Is it possible that when Let’s Encrypt tries to connect (from somewhere out in the Internet) to the host names you’ve given on port 80 that it doesn’t reach your server at all ? e.g a firewall could be in the way.

If it was able to connect, but then getting a response from some other component instead of the certbot client, or if it was getting an error message, I’d expect that to be shown in the certbot output. So that’s why I suspect it’s really just not able to connect to your haproxy at all.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.