I am trying to set ssl termination for redthis.app domain in haproxy 2.4.2 but getting the following error from browser when I used a certificate created from staging server. But I am able to access the website from port 80 with the 'dangerous' msg in the browser
NET::ERR_CERT_AUTHORITY_INVALID
Subject: redthis.app
Issuer: (STAGING) Artificial Apricot R3
Expires on: Oct 21, 2021
Current date: Jul 28, 2021
As this certificate was for staging, I tried to create one without --staging but got the below msg
the full domain name of your site - redthis.app
the command line you ran -
certbot certonly --standalone
--preferred-challenges http
--email mail@gmail.com --agree-tos
--http-01-address 127.0.0.1 --http-01-port 9080
-d redthis.app -d www.redthis.app --non-interactive
the output of that command -
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert not yet due for renewal
Keeping the existing certificate
Certificate not yet due for renewal; no action taken.
name and version of your operating system and your web server
Debian 10 - Buster slim
Haproxy 2.4.2 - Reverse proxy
Docker - Docker version 20.10.7, build f0df350
Golang 1.16 - webserver
what type of hosting provider you are using, if applicable - Linode vps with DNS with godaddy.
root@reddev:/opt/red# certbot certonly --standalone --preferred-challenges http --email mail@gmail.com --agree-tos --http-01-port 9080 -d redthis.app -d www.redthis.app --non-interactive --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
IMPORTANT NOTES:
- The dry run was successful.
I used --force-renewal and I am getting a 404 from the standalone webserver
root@reddev:/opt/red# certbot renew --standalone \
> --preferred-challenges http \
> --email mail@gmail.com --agree-tos --http-01-port 9080 \
> -d redthis.app -d www.redthis.app --non-interactive --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.
root@reddev:/opt/red# certbot certonly --standalone --preferred-challenges http --email vivek.anandaraman@gmail.com --agree-tos --http-01-port 9080 -d redthis.app -d www.redthis.app --non-interactive --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for redthis.app
http-01 challenge for www.redthis.app
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. redthis.app (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://redthis.app/.well-known/acme-challenge/h_UN-6_OQ0_6KVDNnJNZCWV1GfHn3a9BfCPf7rmP1JE [172.105.60.242]: 404, www.redthis.app (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.redthis.app/.well-known/acme-challenge/uak01_fXcnKkn0c62earN3SPjJcU-nEPedOq0wvskZ4 [172.105.60.242]: 404
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: redthis.app
Type: unauthorized
Detail: Invalid response from
http://redthis.app/.well-known/acme-challenge/h_UN-6_OQ0_6KVDNnJNZCWV1GfHn3a9BfCPf7rmP1JE
[172.105.60.242]: 404
Domain: www.redthis.app
Type: unauthorized
Detail: Invalid response from
http://www.redthis.app/.well-known/acme-challenge/uak01_fXcnKkn0c62earN3SPjJcU-nEPedOq0wvskZ4
[172.105.60.242]: 404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ok, finally I got the green padlock.
I renewed the certificate using below command with --force-renewal, after bringing down haproxy service at 80. The standalone server was not listening at 9080 after all, so had to bring down haproxy which was listening at port 80.
Probably a reverse proxy setup in haproxy, which I've seen before.
You probably need to re-add the --http-01-address 127.0.0.1 --http-01-port 9080 part so certbot will work with haproxy running. It was working before, so it should work now.
The issue you were having earlier is probably due to an ancient version of certbot: I believe newer versions of certbot will overwrite any staging certificate with a valid certificate without any issue. But in your case, certbot did not recognise the staging cert as being invalid and refused to re-issue a new, valid one. I believe this behaviour has been fixed in more recent versions.
So to answer your thread from your first post: you only needed to add --force-renewal and all should have been good to begin with. Note that you needed --force-renewal only once! Don't use it for other renewals!
Also note that these certbot commands don't reload haproxy automatically, so after each renewal, you need to do that manually. Certbot offers a so called "hook" which can run certain (Bash) commands after succesful renewal, called --deploy-hook. You can use that to run a command to reload haproxy (I don't know which command that would be though) after renewal. For example, you could have a cronjob with:
certbot renew --deploy-hook "haproxy reload"
Where haproxy reload would be whatever command could be used to reload haproxy.