Letsencrypt with Haproxy


#1

Hi,

I’ve recently renewed my existing certificate. Post renewal I copied the certificate directory onto haproxy and reloaded haproxy but post reload mysql website is sometimes showing unsecure and at times secure

Best Regards,
Zahid


#2

What’s your domain name ?


#3

Hi,

I’ve created SAN for my test website as follows:

betatesting.jdseller.com
statiic1.betatesting.jdseller.com
static2.betatesting.jdseller.com
static3.betatesting.jdseller.com
static4.betatesting.jdseller.com
static4.betatesting.jdseller.com

so sometimes it throws certificate expired randomly for any of the above domains and subdomains and at times loads https properly.

My certificate is on haproxy and my nginx is on another server.

This was working fine earlier but Post Latest renewal I’m facing this problem.

Kindly help!!

Best regards,
Zahid


#4

You appear to be using 2 different certs in your config. One is showing

Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
Not Before: Feb 8 16:33:00 2017 GMT
Not After : May 9 16:33:00 2017 GMT

The other is the old cert

Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
Not Before: Nov 8 04:44:00 2016 GMT
Not After : Feb 6 04:44:00 2017 GMT

I’d suggest a quick check of your configs and make sure all of them are pointing to the “live” certificates and not the “achive” ones.


#5

Hi,

Thanks for your prompt reply. However, my configuration is fine. I’ve double checked it.

I have renewed the certificate on server A (a few days back) and then copied the entire directory (ignoring the symlinks to …/…/archive/betatesting.jdseller.com on the same server) using “/etc/letsencrypt/live/betatesting.jdseller.com” to server B to “/etc/haproxy/certs” and then restart haproxy on server A and nginx and php on server B. Hope I’m doing things properly here.

Please suggest…

Best Regards,
Zahid


#6

hi zahid

serverco is absolutely right

your SAN is not setup correctly you are using betatesting.jdseller.com certificate on your sub-domains

chrome seems to have no issues with your first domain and firefox doesn’t seem to mind after the first time

both chrome and firefox don’t like your subdomains

looks like one of your backed servers is also serving an old certificate

https://www.ssllabs.com/ssltest/analyze.html?d=betatesting.jdseller.com

a) obtain a SAN certificate for the root and sub domains (they all have to be SAN entries on the CSR)
b) disable weak ciphers
c) reinstall new certificate on all servers (proxies and backends) and reload them

Andrei


#7

HI Andrei,

Thanks for your valuable inputs. The is no certificate at my backend server.

How can I remove the old SAN?

Also, is the following the correct way to get new SAN, please correct me if i’m wrong

./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/test -d betatesting.jdseller.com -d static1.betatesting.jdseller.com -d static2.betatesting.jdseller.com -d static3.betatesting.jdseller.com -d static4.betatesting.jdseller.com -d static5.betatesting.jdseller.com

Best Regards,
Zahid


#8

HI Andrei,

I’ve now reinstalled a fresh SAN for my domain and its sub domains but still I’m getting issues with my sub domains and at times expired certificate on main domain as well. I’ve removed all old certificates but still no success. Not sure if haproxy maintains any caches for old certificates.

I’ve installed fresh SAN using the following and then restarted
haproxy and my backend nginx but still no success:

./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/test -d betatesting.jdseller.com -d static1.betatesting.jdseller.com -d static2.betatesting.jdseller.com -d static3.betatesting.jdseller.com -d static4.betatesting.jdseller.com -d static5.betatesting.jdseller.com

Kindly Help!!

Best Regards,
Zahid


#9

Your default certificate on IP 125.18.61.66 is still the old certificate

Certificate:
Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
Not Before: Nov 8 04:44:00 2016 GMT
Not After : Feb 6 04:44:00 2017 GMT
Subject: CN=betatesting.jdseller.com

if you check your config I’m sure it’s still pointing to the old certificate.


#10

hi serverco,

Is the following the correct way to create a single SAN certificate with main domain (betatesting.jdseller.com) and subdomains (static1.betatesting.jdseller.com, static2.betatesting.jdseller.com, static3.betatesting.jdseller.com, static4.betatesting.jdseller.com, static5.betatesting.jdseller.com):

./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/test -d
betatesting.jdseller.com -d static1.betatesting.jdseller.com -d
static2.betatesting.jdseller.com -d static3.betatesting.jdseller.com -d
static4.betatesting.jdseller.com -d static5.betatesting.jdseller.com

Please confirm.

Best Regards,
Zahid


#11

Yes, the problem is not with the generation of the cert though - it is that you are still using an old cert somewhere.

I’d suggest checking the actual content of the cert files.


#12

hi zahid

you have issued your certificate correctly https://crt.sh/?q=betatesting.jdseller.com

i see you have created several certificates

as you can see your HA/WebServers are still serving the old certificates

there is an article on how to to do this here: https://www.digitalocean.com/community/tutorials/how-to-secure-haproxy-with-let-s-encrypt-on-ubuntu-14-04

Andrei


#13

When terminating SSL on HAProxy, ensure that:

a) You have combined the key, domain certificate and intermediate in the right order in the pem file for HAproxy
b) You are referencing the correct (and updated) pem file in HAProxy configuration

See this gist as a reference for example (“Create Requried PEM for HAProxy” and “Configure HAProxy to use this new PEM” sections).


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.