Installation with Haproxy and LXC Containers

I haven’t yet installed Certbot because I have concerns about how it would run in my infrastructure and need some advice.

I’m currently running LXC containers. Each container runs an instance of Nginx for a specific domain. Haproxy, running in a separate container, terminates SSL and proxies the request to the correct container.

In looking at the instructions for Certbot, it seems that setup and renewal will never work for me since Haproxy is in one container and the Server nodes are in another. Is there a way around this? Or is it a case where once I copy the validation files into /.well-known on the correct server, it won’t be necessary again? If so, where does Certbot run? I assume in the container with Haproxy?

I also do LXC + haproxy.

Yes. Run Certbot in standalone mode and just proxy the requests from haproxy to the standalone port.

e.g.

certbot --standalone --http-01-port 999 -d example.org

In the frontend:

acl acl_letsencrypt path_beg /.well-known/acme-challenge/
use_backend be_letsencrypt if acl_letsencrypt

with this backend:

backend be_letsencrypt
    server le 127.0.0.1:999
4 Likes

@_az Most of that makes sense, but since multiple domains are running on the single host, won’t the path_beg directive be too ambiguous? or does certbot track and maintain multiple acme-challenges?

@_az, does standalone mode also mean that auto-renewal isn’t going to work?

No, it's not ambiguous. Certbot's standalone mode doesn't care about what the incoming hostname is, it's all just one big bucket of challenges. As long as you route that path in all of your frontends (by including the acl), no problem.

Why wouldn't it?

Certbot renewal cron runs, standalone starts up and binds to an unused but well-known port (e.g. 999), and haproxy routes all acme-challenge requests to it.

If Certbot isn't running then haproxy will just throw a 503 for that acme-challenge path, which is the correct response.

You will need to do some extra work in a --deploy-hook to create the "combined" certificate format that haproxy expects, since Certbot doesn't do that for you. You can also check out acmetool (in proxy mode, its version of standalone), which does generate it - that's what I've been using for years with haproxy and it's solid as a rock.

2 Likes

@_az , Thanks for your help on this. I got it working with one of my “test sites” today. Your instructions were quite helpfu. It looks like I had to add the “certonly” flag at the cmd line though.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.