Www subdomain gets cert but forum subdomain fails - discourse behind haproxy

My Discourse server is pretty obviously feeding its index.html to certbot but I can’t figure out why. The WWW subdomain with the same exact DNS entry has no issue.

My domain is: dallaskf.com (specifically referencing forum.dallaskf.com)

I ran this command: sudo certbot certonly --standalone -d dallaskf.com -d www.dallaskf.com -d forum.dallaskf.com --non-interactive --agree-tos --email postmaster@forum.dallaskf.com --http-01-port=8800

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for forum.dallaskf.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. forum.dallaskf.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://forum.dallaskf.com/.well-known/acme-challenge/5fVXU27dIMqrZ12b4uUcZYXyEzhtMEck6MSPF435HDY [76.201.5.146]: "\n<html lang=“en-US”>\n\n <meta charset=“utf-8”>\n DallasKF.com Rust\n <meta name=“description”

IMPORTANT NOTES:

My web server is (include version): Apache2 and Discourse behind haproxy. All latest stable

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: homelab (namecheap DNS)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

I think I fixed it by shutting down haproxy and running the check on port 80. Will try this and report back if it fails

The required configuration to avoid shutting down haproxy is to proxy the ACME validation requests to the Certbot standalone server.

Add a backend for Certbot:

backend be_certbot
        mode http
        server s_certbot 127.0.0.1:8800

and direct requests to it in your port 80 frontend:

use_backend be_certbot if { path_beg /.well-known/acme-challenge/ }

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.