Recommended CURRENT setup for LE behind haproxy 2.1

Hi,
we have some servers using a haproxy setup from https://serversforhackers.com/c/letsencrypt-with-haproxy

This setup uses the --http-01-port=8888 switch to direct the ACME response to a different port. I learned that -http-01-port has been removed from current certbot releases.

Is there a replacement command to use a different port instead of the standard “80” which is claimed by haproxy in our case? I could not find any up-to date setup examples online, there are only outdated recommendations from 2018 and older …

My domain is: netzwissen.de

I ran this command: certbot certonly --standalone -d zammad.netzwissen.de --non-interactive --agree-tos --email admin@netzwissen.de --http-01-port=8888

My web server is (include version): apache 2.4 and haproxy 2.1 (haproxy handles p. 443 requests and acts as ssl accelerator in front of unencrypted apache vservers

The operating system my web server runs on is (include version): ubuntu 18.04 LTS

My hosting provider, if applicable, is: hetzner.de, root server with full control (shell access)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Where did you learn that from? Currently I don’t see any deprecation notice/comment in the code: https://github.com/certbot/certbot/blob/dbda499/certbot/certbot/_internal/cli/init.py#L295-L298

Also, the guide you’ve used isn’t very truthful at moments. For example:

Interestingly, if HAProxy is listening on port 443, LetsEncrypt may attempt to authorize over it. So, when we create a new certificate, we need HAProxy to only be listening on port 80 .

That’s not true. If using the http-01 challenge, Let’s Encrypt will try to connect on port 80 only. If the result of that query is a redirect to a HTTPS location, yes, of course Let’s Encrypt will connect to port 443 (because HTTPS…). But it will never start with that. It’s up to the system administrator to get his affairs in order if he thinks Let’s Encrypt does something like that.
Therefore, there’s no need for HAProxy to “only listen to port 80” during certificate issuance or renewal… That’s just not true. If there’s a redirect however, and you don’t have HAProxy configured to map requests to /.well-known/acme-challenge/ to certbot on HTTPS, well, you’ll just have to bypass the redirect for those requests.

1 Like

Thanks for the info - sometimes its better to not believe all docs, especially if they are older.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.