Hey everyone,
trying to renew SSL through HAProxy but hitting some walls since I'm completely new to it.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: komunamarket.rs
I ran this command: certbot renew
It produced this output:
Processing /etc/letsencrypt/renewal/www.komunamarket.rs.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (www.komunamarket.rs) from /etc/letsencrypt/renewal/www.komunamarket.rs.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.komunamarket.rs/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.komunamarket.rs/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
My web server is (include version): Nginx with HAProxy
The operating system my web server runs on is (include version): Ubuntu 20.04
My hosting provider, if applicable, is: Linode
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): 0.40.0
I inherited this infrastructure so completely new to HAProxy.
Pasting also HAProxy cfg file. I believe I'm missing something there.
I can see letsencrypt listening on port 54321 so I'm guessing I should use --http-01-port=xxxxx argument but can't say I was successful.
Here's the config:
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http-in
bind *:80
#add support for ssl
bind *:443 ssl crt /etc/ssl/certs/komuna.pem
mode http
option httpclose
option forwardfor
option http-server-close
acl url_backend path_sub -i admin /api/ admin_indexers /key/
acl url_backend path_beg -i /.well-known /api.php /blog/
acl url_forb path_reg -i ^/marketplace/?$ ^/marketplace/seller/?$ ^/marketplace/seller/profile/?$ ^/marketplace/seller/profile/shop/?$
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
block if url_forb
use_backend web-backend if url_backend
use_backend letsencrypt-backend if letsencrypt-acl
default_backend web-servers
backend web-backend
mode http
reqadd X-Forwarded-Proto:\ https
balance roundrobin
#enable 302 redirect http -> https
redirect scheme https if !{ ssl_fc }
http-request redirect prefix https://%[hdr(host),regsub(^www\.,,i)] code 301 if { hdr_beg(host) -i www. }
#to web-backend
server web 192.168.144.185:80 check
backend web-servers
mode http
reqadd X-Forwarded-Proto:\ https
balance roundrobin
#enable 302 redirect http -> https
redirect scheme https if !{ ssl_fc }
http-request redirect prefix https://%[hdr(host),regsub(^www\.,,i)] code 301 if { hdr_beg(host) -i www. }
#to web-backend
server web 192.168.144.185:80 check
#Varnish
# server varnish 127.0.0.1:6081 check
backend letsencrypt-backend
server letsencrypt 127.0.0.1:54321
Thanks!