Migrating process from Apache2 reverse proxy to HAproxy, need advice

I've been using Apache2 reverse proxy with letsencrypt on my miniserver for several years.As I'm going to retire the server and replace it with a bigger server, I intend to use HAProxy in my pfSense as a reverse proxy, instead.

My question is about how to migrate the reverse proxy with minimal interruption. I have questions about the letsencrypt part.

Is my understanding correct that if I acquire new letsencrypt certificates on my pfSense for haproxy use, the existing certificates on my miniserver are no longer valid?

If so, if, instead, I simply import the certificates from my miniserver to my pfSense, and gradually setup and test haproxy on my pfSense (may need to de-activate 443 port forwarding to my miniserver during testing from time to time). When all are good, I just regenerate new letsencrypt certificates on pfSense and have the autorenew of certificates on my pfSense.

Thanks in advance for your advice.

1 Like

Hi @europacafe and welcome to the LE community forum :slight_smile:

You can actually reissue the "same cert" multiple times.
That said, HTTP authentication will need to be considered.
The simplest "solution" is to (dual/re)proxy HTTP (not HTTPS) until both systems have certs.
So that:
HTTP > HAproxy > Apache > WebServer OR HTTP > HAproxy > WebServer
HTTPS > Apache > WebServer
Then catch, and handle, the challenge requests (ACME client) within the HAproxy.
Once that ACME client has all the certs it needs, you can replace the Apache system completely.
HTTP > HAproxy > WebServer
HTTPS > HAproxy > WebServer

Note: "same cert" means certs that cover the exact same set of names (but are not identical otherwise).
[each will have its' own start and end date]


Thank you very much. I'll try and may come back later if I need more advice.

1 Like

I have tried HAProxy with letsencrypt ssl, initially all the websites loaded so slowly, until I increase the maximum connection to 1000 on haproxy setting. It is working fine now.

Thanks again.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.