ACME Challenge Passthrough

Hi Community,

I am doing this in a homeserver set up so even though I use these platforms every day, they have a maximum of 3 - 4 users on them so all are single server, no need to load share etc.

My goal was to send the acme challenge for each server through haproxy and set and forget have lets encrypt renew in the background with no intervetion from me. The Apache2 - Certbout Auto-Renewal already was automating the requests I just needed them to route to the correct server as needed.

After much trial and error here is my working config. When I add another backend server I will just need to expand the list of URLs. This config worked with the “certbot renew --dry-run” so now to leave it for a few months and see if nothing breaks.

  maxconn 5000
  stats timeout 30s
  log /dev/log    local0
  log /dev/log    local1 notice
  chroot /var/lib/haproxy
  user haproxy
  group haproxy

  log     global
  mode    tcp
  option  tcplog
  option  dontlognull
  timeout http-request 5s
  timeout connect 5000
  timeout client  2000000
  timeout server  2000000
# front end acme challenge
frontend example80
  bind *:80
  mode http
  option tcplog

# check for acme challange and validate url

    acl test_acme  path_beg /.well-known/acme-challenge/
    acl nc_host    hdr(host) -i
    acl wp_host hdr(host)    -i
    acl wiki_host hdr(host)  -i

# if no acme challenge redirect https
    redirect scheme https code 301 if !test_acme

# on acme challenge forward :80 to backend server
    use_backend le_nc_backend   if test_acme nc_host
    use_backend le_wp_backend   if test_acme wp_host
    use_backend le_wiki_backend if test_acme wiki_host

# frontend normal https traffic to valid urls
frontend example443
  bind   *:443
  mode   tcp
  option tcplog

  tcp-request inspect-delay 10s
  tcp-request content accept if { req.ssl_hello_type 1 }

  use_backend backend_nc   if { req.ssl_sni -m end }
  use_backend backend_wp   if { req.ssl_sni -m end }
  use_backend backend_wiki if { req.ssl_sni -m end }

# Backend nextcloud server <<<<<<<<<
# Normaltraffic nextcloud
backend backend_nc
  mode tcp
  server nextcloud-server check

# Renew certificate nextcloud server
backend le_nc_backend
  mode http
  server letsencrypt_nc_server check

# Backend wordpress server <<<<<<<<<
# Normaltraffic worpress
backend backend_wp
  mode tcp
  server wordpress-server check

# Renew certificate wordpress server
backend le_wp_backend
  mode http
  server letsencrypt_wp_server check

#Backend wiki server  <<<<<<<<<<
# Normaltraffic wiki server
backend backend_wiki
  mode tcp
  server wiki-server  check

# Renew certificate wiki server
backend le_wiki_backend
  mode http
  server letsencrypt_wiki_server check

Feedback welcome, I am always happy to improve my setup.


Hi Community,

Just a follow up, I just checked and all of my servers have successfuly renewed their certificates over the last few weeks.


1 Like