I’m in the process of working through applying LetsEncrypt across multiple domains through HAProxy. So far it’s been quite an interesting challenge, especially given that most, if not all guides, are specific to nginx/apache and not much for HAProxy itself, those which do exist however are hit & miss and don’t really go into the exact level of detail, so I started from scratch, and now have a fully working implementation (which for the most part is now fully automated, including the addition of extra domains as required), except for being fully happy with the HPKP implementation.
So far, I’ve created the hashes for the LE Intermediate certs (X3 and X4 Backup), and this is where I’m now a little stuck.
I’ve created the hash from the (latest) cert created from LE using the following command:
openssl x509 -pubkey < /etc/letsencrypt/archive/tardis.io/cert3.pem | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
However, I’m unsure as to what to use as backup? As no backup cert is created or provided by LE during creation/renewal. When renewing, a new cert is created, and so I rehash against that & update the HPKP header which works fine from testing & checking, but again, I’ve no idea what key to use as backup.
Certs are being created/renewed with the following command:
/opt/letsencrypt/letsencrypt-auto --must-staple --agree-tos --rsa-key-size 4096 --renew-by-default --standalone --preferred-challenges http-01 --http-01-port 9999 certonly -d dom1 -d dom2
For now, I’ve used the previous key (cert2.pem) which is valid until July as the Backup cert, but I’d rather not have to request 2 certs during renewal just to have a backup (which goes against the ratelimit) as even though I have some san certs for multiple domains/sub domains, I do also require individual certs for specific subdomains only.
Qualys SSL Labs reports the PINS for the intermediate cert & leaf cert are pinned OK, and securityheaders.io also reports no issues with the headers, however, I just need the backup hash solution explaining a bit better.