How to setup multiple LetsEncrypt boxes behind HaProxy?


#1

Hi,
I have one domain a.com with multiple subdomains a.a.com, b.a.com, c.a.com
All behind single IP.
I have HAproxy behind the router and ports 80 and 443 are forwarded to haproxy.
I like to have LetsEncrypt certificates on a.a.com, b.a.com and so on.
I have setup the haproxy as:
frontend http
bind *:80
mode http
option httplog
redirect scheme https code 301 if !{ ssl_fc }
acl www_req hdr(host) -i a.a.com
use_backend zc_01_http_backend if www_req

backend zc_01_http_backend
mode http
balance roundrobin
option forwardfor
server node10 192.168.199.132:80

frontend https-in
bind *:443

    mode tcp
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 } }
    use_backend zc_01_https_backend  if { req.ssl_sni -i a.a.com }

backend zc_01_https_backend
mode tcp
server node4 192.168.199.132:443

But when I acme.sh --issue --standallone -d a.a.com I get validation error:
zc-sn-01.linqone.com:Verify error:Fetching https://a.a.com/.well-known/acme-challenge/IERJmLNablNK44Q4KM5f1pg3kTqeuyzpc0Kcl1a_f6c: Error getting validation data

Any idea how to solve it? Thanks


#2

Please specify the affected domain name (do not hide it).


#3

The domain is linqone.com and subdomain is zc-sn-01.linqone.com
Thank you.


#4

OK, lets focus on zc-sn-01.linqone.com first:

$ wget -S -O /dev/null zc-sn-01.linqone.com
HTTP-Anforderung gesendet, warte auf Antwort…
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://zc-sn-01.linqone.com/
Connection: close

Every access to this domain via http redirects to https, BUT:

$ openssl s_client -connect zc-sn-01.linqone.com:443 -servername zc-sn-01.linqone.com
CONNECTED(00000003)
139692595906208:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 324 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

The webserver on port 443 does NOT speak HTTPS, but plain HTTP instead.
I would recommend excluding the location /.well-known/acme-challenge/ from the https redirect. Also you have to fix the configuration of the webserver regarding https.


#5

Thank you for your help.
I have played around with this a little more.
So the service runs on port 9033 and if I run:
openssl s_client -connect zc-sn-01.linqone.com:9033 -servername zc-sn-01.linqone.com
Through the proxy it seems to work ok though if I run:
openssl s_client -connect zc-sn-01.linqone.com:9033 it does not.
If I run openssl s_client -connect zc-sn-01.linqone.com:9033 directly not through the haproxy it works too.
So how do I set the config for this to work?
Current config does not pick it up:
frontend z-https-in
bind *:9033
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
use_backend z-zc_01_https_backend if { req.ssl_sni -i zc-sn-01.linqone.com }
use_backend z-zc_02_https_backend if { req.ssl_sni -i zc-sn-02.linqone.com }
#default_backend z-zc_01_https_backend

backend z-zc_02_https_backend
mode tcp
server node11 192.168.199.229:9033

backend z-zc_01_https_backend
mode tcp
server node4 192.168.199.132:9033

Thank you very much.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.