SSL renewal through HAProxy

Hey everyone,

trying to renew SSL through HAProxy but hitting some walls since I'm completely new to it.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: komunamarket.rs

I ran this command: certbot renew

It produced this output:

Processing /etc/letsencrypt/renewal/www.komunamarket.rs.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (www.komunamarket.rs) from /etc/letsencrypt/renewal/www.komunamarket.rs.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.komunamarket.rs/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.komunamarket.rs/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

My web server is (include version): Nginx with HAProxy

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

I inherited this infrastructure so completely new to HAProxy.
Pasting also HAProxy cfg file. I believe I'm missing something there.
I can see letsencrypt listening on port 54321 so I'm guessing I should use --http-01-port=xxxxx argument but can't say I was successful.

Here's the config:

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

frontend http-in
        bind *:80
        #add support for ssl
        bind *:443 ssl crt /etc/ssl/certs/komuna.pem
        mode http
        option httpclose
        option forwardfor
        option http-server-close
        acl url_backend         path_sub        -i admin /api/ admin_indexers /key/
        acl url_backend         path_beg        -i /.well-known /api.php /blog/
	acl url_forb		path_reg	-i ^/marketplace/?$ ^/marketplace/seller/?$ ^/marketplace/seller/profile/?$ ^/marketplace/seller/profile/shop/?$
        acl letsencrypt-acl path_beg /.well-known/acme-challenge/
	block if url_forb
        use_backend web-backend         if url_backend
        use_backend letsencrypt-backend if letsencrypt-acl
        default_backend web-servers

backend web-backend
        mode http
        reqadd X-Forwarded-Proto:\ https
        balance roundrobin
        #enable 302 redirect http -> https
        redirect scheme https if !{ ssl_fc }
        http-request redirect prefix https://%[hdr(host),regsub(^www\.,,i)] code 301 if { hdr_beg(host) -i www. }

        #to web-backend
        server web 192.168.144.185:80 check

backend web-servers
        mode http
        reqadd X-Forwarded-Proto:\ https
        balance roundrobin
        #enable 302 redirect http -> https
        redirect scheme https if !{ ssl_fc }
        http-request redirect prefix https://%[hdr(host),regsub(^www\.,,i)] code 301 if { hdr_beg(host) -i www. }

        #to web-backend
        server web 192.168.144.185:80 check
        #Varnish
#        server varnish 127.0.0.1:6081 check

backend letsencrypt-backend
        server letsencrypt 127.0.0.1:54321

Thanks!

Hi @DaRk0, and welcome to the LE community forum

That is not the recommended version.
See: Certbot Instructions | Certbot (eff.org)

You can't use certbot renew with the --manual plugin without hooks. Please see User Guide — Certbot 2.6.0 documentation or use the initial certbot command again.

Also, the manual plugin is often used as a "poor mans" alternative to automated dns-01 challenges for wildcard certificates. However, I don't see any wildcard certs in your cert history. Are you using the dns-01 challenge? If so, why exactly?

Further more, it seems you have some overlapping certificates issued regularly. E.g., you seem to have a certificate for both komunamarket.rs and www.komunamarket.rs but also multiple certificates for just komunamarket.rs.. What are you doing exactly? It doesn't look very structured if I may say so.

Hey Osiris,

I'm not doing anything at the moment. Just trying to renew.
Like I mentioned previously, I inherited the infrastructure so not really sure what was being done before.

Trying to renew cert now since will expire in two days, and I'm not exactly sure where to start since I've never used HAProxy.

Thanks!

With the order these rules are written, the letsencrypt-backend doesn't seem like it would ever trigger.

If a request for /.well-known/acme-challenge/xyz comes in, then url_backend ACL will match first, which means the rule for web-backend will trigger.

Your letsencrypt-backend rule needs to have a higher priority in your configuration.

I run letsdebug.net on a similar haproxy configuration, and if I put my rules in an order similar to yours, it doesn't work. So once you fix this, you should be able to then successfully renew with:

certbot renew --cert-name www.komunamarket.rs --standalone --http-01-port 54321

and then it will automatically remember those parameters on future attempts.

Hey everyone. Thanks a lot for advice. Meanwhile I was trying by myself.

Here's what I did:

Reinstalled certbot through snapd;
Stopped HAProxy;
Run sudo certbot certonly --standalone;
Run sudo cat /etc/letsencrypt/live/www.komunamarket.rs/fullchain.pem
/etc/letsencrypt/live/www.komunamarket.rs/privkey.pem
| sudo tee /etc/ssl/certs/komuna.pem

Re-enabled HAProxy.

Seems it's working.

We are getting rid of this infrastructure in 2H 2023. Deploying new one.
Not a fan of inheriting someone else's infrastructure with zero docs.

Thanks again everyone.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.