Configuration help challenge HTTP-01 ACME

Hi
I am asking for your help to configure my HAProxy configuration file “version 2.8.5-1~bpo12+1 2023/12/09”
I have two services that use the Acme HTTP-01 challenge and all the others use the DNS-01 challenge. With the latter (DNS-01), the certificates are renewed without problem, I tried to follow this thread for HTTP-01 without success. ACME Challenge Passthrough
Here is my HAProxy config, I left the domains for which the renewal fails:

#---------------------------------------------------------------------

Global settings

#---------------------------------------------------------------------

global
daemon
user haproxy
group haproxy
log /dev/log local6 notice
log /dev/log local5 info
maxconn 100000
chroot /var/lib/haproxy
pidfile /run/haproxy.pid
stats socket /var/run/haproxy/admin.sock mode 777 level admin

#---------------------------------------------------------------------

common defaults that all the ‘listen’ and ‘backend’ sections will

use if not designated in their block

#---------------------------------------------------------------------

defaults
mode tcp
option tcplog
log global
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

#---------------------------------------------------------------------

dedicated stats page

#---------------------------------------------------------------------

listen stats
mode http
bind :22222
stats enable
stats hide-version
stats uri /stats
stats realm HAProxy-Statistics
stats auth LOGIN:SECRET
stats refresh 30s

stats admin if TRUE

#---------------------------------------------------------------------

Frontend to redirect HTTP to HTTPS with code 301

#---------------------------------------------------------------------

frontend http-redirect
mode http
bind :80 v4v6
http-request redirect scheme https code 301

#---------------------------------------------------------------------

main frontend which proxys to the backends

#---------------------------------------------------------------------

frontend main_https_listen
bind :443 v4v6
mode tcp
option tcplog
log global
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }

#---------------------------------------------------------------------

Common HAProxy nodes configuration

#---------------------------------------------------------------------

-------------------------------

ACLs

-------------------------------

acl acl_mailcowdatanetwork req.ssl_sni -i mail.example1.cloud www.mail.example1.cloud
acl acl_mailcowboubou req.ssl_sni -i mail.example2.me www.mail.example2.me

-------------------------------

Conditions

-------------------------------

use_backend backend_mailcowdatanetwork if acl_mailcowdatanetwork
use_backend backend_mailcowboubou if acl_mailcowboubou

#---------------------------------------------------------------------

Backends

#---------------------------------------------------------------------

backend backend_mailcowdatanetwork
description MAILCOW DATANETWORK
mode tcp
option ssl-hello-chk
server server_mailcowdatanetwork 192.168.1.7:443

backend backend_mailcowboubou
description MAILCOW BOUBOU
mode tcp
option ssl-hello-chk
server server_mailcowboubou 192.168.1.7:443

Thanks for your help

Well, I suggest you post the configuration that you tried based on that thread.

The configuration you posted contains none of it.

sorry for the late response, I was far from home for work.
Here is the configuration that I am trying to test to pass the acmé HTTP-01 challenge, I would like mail.boubou.me and mail.datanetwork.cloud to be able to pass the acmé HTTP-01 challenge, for everything else I use the challenge DNS-01, but unfortunately I cannot run it with Mailcow (self-hosted mail solution) and the developers do not intend to do so at the moment because the workload would be too heavy. and for the moment every 3 months I have to redirect port 80 and 443 directly on the mail server to renew the certificates.
Thanks for your help


#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------

global
    daemon
    user                haproxy
    group               haproxy
    log                 /dev/log local6 notice
    log                 /dev/log local5 info
    maxconn             100000
    chroot              /var/lib/haproxy
    pidfile             /run/haproxy.pid
    stats socket        /var/run/haproxy/admin.sock mode 777 level admin

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------

defaults
    mode                 tcp
    option               tcplog
    log                  global
    option               dontlognull
    timeout connect      5000
    timeout client       50000
    timeout server       50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

#---------------------------------------------------------------------
# dedicated stats page
#---------------------------------------------------------------------

listen stats
    mode http
    bind :22222
    stats enable
    stats hide-version
    stats uri            /stats
    stats realm          HAProxy-Statistics
    stats auth           login:Password
    stats refresh        30s
#    stats admin if TRUE

#---------------------------------------------------------------------
# Front end Acme Challenge
#---------------------------------------------------------------------

frontend datanetwork.cloud:80
    bind *:80
    mode http
    option tcplog

#---------------------------------------------------------------------
# Check for Acme Challange and validate url
#---------------------------------------------------------------------

    acl test_acme                          path_beg /.well-known/acme-challenge/
    acl mailcowdatanetwork_host hdr(host)  -i mail.datanetwork.cloud
    acl mailcowboubou_host hdr(host)       -i mail.boubou.me

#---------------------------------------------------------------------
# If no Acme Challenge redirect HTTPS 
#---------------------------------------------------------------------

    redirect scheme https code 301 if !test_acme

#---------------------------------------------------------------------
# On Acme Challenge forward :80 to backend server
#---------------------------------------------------------------------

    use_backend le_mailcowdatanetwork_backend   if test_acme mailcowdatanetwork_host
    use_backend le_mailcowboubou_backend        if test_acme mailcowboubou_host

#---------------------------------------------------------------------
# frontend normal https traffic to valid urls
#---------------------------------------------------------------------
frontend datanetwork.cloud:443
  bind   *:443
  mode   tcp
  option tcplog

  tcp-request inspect-delay 10s
  tcp-request content accept if { req.ssl_hello_type 1 }

  use_backend backend_mailcowdatanetwork   if { req.ssl_sni -m end   mail.datanetwork.cloud }

#---------------------------------------------------------------------
# frontend normal https traffic to valid urls
#---------------------------------------------------------------------
frontend boubou.me:443
  bind   *:443
  mode   tcp
  option tcplog

  tcp-request inspect-delay 10s
  tcp-request content accept if { req.ssl_hello_type 1 }

  use_backend backend_mailcowboubou   if { req.ssl_sni -m end   mail.boubou.me }

#---------------------------------------------------------------------
# Renew certificate nextcloud server
#---------------------------------------------------------------------
backend le_mailcowdatanetwork_backend
  mode http
  server letsencrypt_mailcowdatanetwork_server 192.168.1.7:80 check

backend le_mailcowboubou_backend
  mode http
  server letsencrypt_mailcowboubou_server 192.168.1.7:80 check

#---------------------------------------------------------------------
# Frontend to redirect HTTP to HTTPS with code 301
#---------------------------------------------------------------------

frontend http-redirect
    mode http
    bind :80 v4v6
    http-request redirect scheme https code 301

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------

frontend main_https_listen
    bind :443 v4v6
    mode                tcp
    option              tcplog
    log                 global
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }

#---------------------------------------------------------------------
# Common HAProxy nodes configuration
#---------------------------------------------------------------------

# -------------------------------
# ACLs
# -------------------------------

acl acl_nextcloud               req.ssl_sni -i xxxxxxxxxx.datanetwork.cloud 	www.xxxxxxx.datanetwork.cloud
acl acl_ncs                     req.ssl_sni -i xxx.datanetwork.cloud 		www.xxxxx.datanetwork.cloud
acl acl_phpnextcloud            req.ssl_sni -i xxxxxxx.datanetwork.cloud 	www.xxxxxxxx.datanetwork.cloud
acl acl_mailcowdatanetwork      req.ssl_sni -i mail.datanetwork.cloud 		www.mail.datanetwork.cloud
acl acl_mailcowboubou           req.ssl_sni -i mail.boubou.me 			www.mail.boubou.me
acl acl_freebox                 req.ssl_sni -i xxxxxxx.datanetwork.cloud 	www.xxxxxx.datanetwork.cloud
acl acl_plex                    req.ssl_sni -i xxxxxxx.datanetwork.cloud 		www.xxxxxx.datanetwork.cloud
acl acl_tautulli                req.ssl_sni -i xxxxxxx.datanetwork.cloud 	www.xxxxxxx.datanetwork.cloud
acl acl_proxy                   req.ssl_sni -i xxxxxxxx.datanetwork.cloud 		www.xxxxxx.datanetwork.cloud
acl acl_proxystat               req.ssl_sni -i xxxxxxxxxxx.datanetwork.cloud 	www.xxxxxx.datanetwork.cloud
acl acl_lenovo                  req.ssl_sni -i xxxxxx.datanetwork.cloud 	www.xxxxxx.datanetwork.cloud
acl acl_mx                      req.ssl_sni -i xxxx.datanetwork.cloud 		www.xxxxxx.datanetwork.cloud
acl acl_nas                     req.ssl_sni -i xxxxxx.datanetwork.cloud 		www.xxxxxxx.datanetwork.cloud
acl acl_readynas                req.ssl_sni -i xxxxxxx.datanetwork.cloud 	www.xxxxx.datanetwork.cloud
acl acl_blog                    req.ssl_sni -i xxxxx.boubou.me			www.xxxxxxx.boubou.me

# -------------------------------
# Conditions
# -------------------------------

use_backend backend_nextcloud if acl_nextcloud
use_backend backend_ncs if acl_ncs
use_backend backend_phpnextcloud if acl_phpnextcloud
use_backend backend_mailcowdatanetwork if acl_mailcowdatanetwork
use_backend backend_mailcowboubou if acl_mailcowboubou
use_backend backend_freebox if acl_freebox
use_backend backend_plex if acl_plex
use_backend backend_tautulli if acl_tautulli
use_backend backend_proxy if acl_proxy
use_backend backend_proxystat if acl_proxystat
use_backend backend_lenovo if acl_lenovo
use_backend backend_mx if acl_mx
use_backend backend_nas if acl_nas
use_backend backend_readynas if acl_readynas
use_backend backend_blog if acl_blog

#---------------------------------------------------------------------
# Backends
#---------------------------------------------------------------------

# APP 1 NEXTCLOUD
backend backend_nextcloud
    description NEXTCLOUD
    mode tcp
    option ssl-hello-chk
    server server_nextcloud 192.168.1.6:443 check send-proxy

# APP 2 NCS NEXTCLOUD STATS
backend backend_ncs
    description NCS NEXTCLOUD STATS
    mode tcp
    option ssl-hello-chk
    server server_ncs 192.168.1.6:444 check send-proxy-v2

# APP 3 PHP NCS NEXTCLOUD
backend backend_phpnextcloud
    description PHP NEXTCLOUD
    mode tcp
    option ssl-hello-chk
    server server_phpnextcloud 192.168.1.6:444 check send-proxy-v2

# APP 4 MAILCOW DATANETWORK
backend backend_mailcowdatanetwork
    description MAILCOW DATANETWORK
    mode tcp
    option ssl-hello-chk
    server server_mailcowdatanetwork 192.168.1.7:443 check

# APP 5 MAILCOW BOUBOU
backend backend_mailcowboubou
    description MAILCOW BOUBOU
    mode tcp
    option ssl-hello-chk
    server server_mailcowboubou 192.168.1.7:443 check

# APP 6 FREEBOX DELTA 
backend backend_freebox
    description FREEBOX DELTA
    mode tcp
    option ssl-hello-chk
    server server_freebox 127.0.0.1:444 check send-proxy-v2

# APP 7 PLEX
backend backend_plex
    description PLEX
    mode tcp
    option ssl-hello-chk
    server server_plex 127.0.0.1:444 check send-proxy-v2

# APP 8 TAUTULLI
backend backend_tautulli
    description TAUTULLI
    mode tcp
    option ssl-hello-chk
    server server_tautulli 127.0.0.1:444 check send-proxy-v2

# APP 9 PROXY NETDATA
backend backend_proxy
    description PROXY NETDATA
    mode tcp
    option ssl-hello-chk
    server server_proxy 127.0.0.1:444 check send-proxy-v2

# APP 10 PROXY STATS
backend backend_proxystat
    description HAPROXY STATS
    mode tcp
    option ssl-hello-chk
    server server_proxystat 127.0.0.1:444 check send-proxy-v2

# APP 11 NETDATA LENOVO TS-150
backend backend_lenovo
    description TS150 NETDATA
    mode tcp
    option ssl-hello-chk
    server server_lenovo 127.0.0.1:444 check send-proxy-v2

# APP 12 MX NETDATA
backend backend_mx
    description MX NETDATA
    mode tcp
    option ssl-hello-chk
    server server_mx 127.0.0.1:444 check send-proxy-v2

# APP 13 NAS NETDATA
backend backend_nas
    description NAS NETDATA
    mode tcp
    option ssl-hello-chk
    server server_nas 127.0.0.1:444 check send-proxy-v2

# APP 14 READYNAS
backend backend_readynas
    description READYNAS
    mode tcp
    option ssl-hello-chk
    server server_readynas 127.0.0.1:444 check send-proxy-v2

# APP 15 BLOG
backend backend_blog
    description BLOG
    mode tcp
    option ssl-hello-chk
    server server_blog 192.168.1.6:444 check send-proxy-v2