How to setup multiple LetsEncrypt boxes behind HaProxy?

I have one domain with multiple subdomains,,
All behind single IP.
I have HAproxy behind the router and ports 80 and 443 are forwarded to haproxy.
I like to have LetsEncrypt certificates on, and so on.
I have setup the haproxy as:
frontend http
bind *:80
mode http
option httplog
redirect scheme https code 301 if !{ ssl_fc }
acl www_req hdr(host) -i
use_backend zc_01_http_backend if www_req

backend zc_01_http_backend
mode http
balance roundrobin
option forwardfor
server node10

frontend https-in
bind *:443

    mode tcp
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 } }
    use_backend zc_01_https_backend  if { req.ssl_sni -i }

backend zc_01_https_backend
mode tcp
server node4

But when I --issue --standallone -d I get validation error: error:Fetching Error getting validation data

Any idea how to solve it? Thanks

Please specify the affected domain name (do not hide it).

The domain is and subdomain is
Thank you.

OK, lets focus on first:

$ wget -S -O /dev/null
HTTP-Anforderung gesendet, warte auf Antwort...
HTTP/1.1 301 Moved Permanently
Content-length: 0
Connection: close

Every access to this domain via http redirects to https, BUT:

$ openssl s_client -connect -servername
139692595906208:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 324 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

The webserver on port 443 does NOT speak HTTPS, but plain HTTP instead.
I would recommend excluding the location /.well-known/acme-challenge/ from the https redirect. Also you have to fix the configuration of the webserver regarding https.

1 Like

Thank you for your help.
I have played around with this a little more.
So the service runs on port 9033 and if I run:
openssl s_client -connect -servername
Through the proxy it seems to work ok though if I run:
openssl s_client -connect it does not.
If I run openssl s_client -connect directly not through the haproxy it works too.
So how do I set the config for this to work?
Current config does not pick it up:
frontend z-https-in
bind *:9033
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
use_backend z-zc_01_https_backend if { req.ssl_sni -i }
use_backend z-zc_02_https_backend if { req.ssl_sni -i }
#default_backend z-zc_01_https_backend

backend z-zc_02_https_backend
mode tcp
server node11

backend z-zc_01_https_backend
mode tcp
server node4

Thank you very much.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.