I work at a hosting company where we decided to make a certbot plugin to use with HAProxy for our shared hosting platform. We open-sourced the plugin and I’m posting this to ask if anyone would be interested in using it and what the integration options with certbot would be.
Our situation is as follows: we have several hosting nodes, on which people share an Apache2/PHP/MySQL hosting environment for their web environments. Their websites are reached through HAProxy, which selects the correct backend and hosting node. This HAProxy now also serves the LE TLS certificates. We made a button in our service center that, when a user presses it, requests an LE certificate for their domain and configures HAProxy to serve that certificate. Our HAProxy is also configured to make the certbot plugin handle the authentication command.
We decided to make the plugin open source and would like to ask you to take a look at it. Is this something more people would use, and if so, should we undertake steps to include this HAProxy plugin into the certbot repository? Here’s a bit more information on the plugin (from the readme):
This is a certbot plugin for using certbot in combination with a HAProxy setup. Its advantage over using the standalone certbot is that it automatically places certificates in the correct directory and restarts HAProxy afterwards. It should also enable you to very easily do automatic certificate renewal.
Furthermore, you can configure HAProxy to handle Boulder’s authentication using the HAProxy authenticator of this plugin.
It was created for use with Greenhost’s shared hosting environment and can be useful to you in the following cases:
- If you use HAProxy and have several domains for which you want to enable Let’s Encrypt certificates.
- If you yourself have a shared hosting platform that uses HAProxy to redirect to your client’s websites.
- Actually any case in which you want to automatically restart HAProxy after you request a new certificate.
It should be noted that the plugin does not configure HAProxy for you. Because HAProxy configurations can can vary a great deal, we decided that at least for our use case this should be done “manually” (on our platform the script that calls certbot also does the configuration changes). Please read the installation instructions on how to configure HAProxy for use with the plugin. If you have a good idea on how we can implement automatic HAProxy configuration, you are welcome to create a merge request or an issue.
Please ask me and @SnijderC if you need more information.