Configuration help challenge HTTP-01 ACME

Boubou · February 4, 2024, 1:22pm

Hi
I am asking for your help to configure my HAProxy configuration file “version 2.8.5-1~bpo12+1 2023/12/09”
I have two services that use the Acme HTTP-01 challenge and all the others use the DNS-01 challenge. With the latter (DNS-01), the certificates are renewed without problem, I tried to follow this thread for HTTP-01 without success. ACME Challenge Passthrough
Here is my HAProxy config, I left the domains for which the renewal fails:

#---------------------------------------------------------------------

Global settings

#---------------------------------------------------------------------

global
daemon
user haproxy
group haproxy
log /dev/log local6 notice
log /dev/log local5 info
maxconn 100000
chroot /var/lib/haproxy
pidfile /run/haproxy.pid
stats socket /var/run/haproxy/admin.sock mode 777 level admin

#---------------------------------------------------------------------

common defaults that all the ‘listen’ and ‘backend’ sections will

use if not designated in their block

#---------------------------------------------------------------------

defaults
mode tcp
option tcplog
log global
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

#---------------------------------------------------------------------

dedicated stats page

#---------------------------------------------------------------------

listen stats
mode http
bind :22222
stats enable
stats hide-version
stats uri /stats
stats realm HAProxy-Statistics
stats auth LOGIN:SECRET
stats refresh 30s

stats admin if TRUE

#---------------------------------------------------------------------

Frontend to redirect HTTP to HTTPS with code 301

#---------------------------------------------------------------------

frontend http-redirect
mode http
bind :80 v4v6
http-request redirect scheme https code 301

#---------------------------------------------------------------------

main frontend which proxys to the backends

#---------------------------------------------------------------------

frontend main_https_listen
bind :443 v4v6
mode tcp
option tcplog
log global
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }

#---------------------------------------------------------------------

Common HAProxy nodes configuration

#---------------------------------------------------------------------

-------------------------------

ACLs

-------------------------------

acl acl_mailcowdatanetwork req.ssl_sni -i mail.example1.cloud www.mail.example1.cloud
acl acl_mailcowboubou req.ssl_sni -i mail.example2.me www.mail.example2.me

-------------------------------

Conditions

-------------------------------

use_backend backend_mailcowdatanetwork if acl_mailcowdatanetwork
use_backend backend_mailcowboubou if acl_mailcowboubou

#---------------------------------------------------------------------

Backends

#---------------------------------------------------------------------

backend backend_mailcowdatanetwork
description MAILCOW DATANETWORK
mode tcp
option ssl-hello-chk
server server_mailcowdatanetwork 192.168.1.7:443

backend backend_mailcowboubou
description MAILCOW BOUBOU
mode tcp
option ssl-hello-chk
server server_mailcowboubou 192.168.1.7:443

Thanks for your help

lukastribus · February 4, 2024, 4:56pm

Well, I suggest you post the configuration that you tried based on that thread.

The configuration you posted contains none of it.

Boubou · February 18, 2024, 9:26am

sorry for the late response, I was far from home for work.
Here is the configuration that I am trying to test to pass the acmé HTTP-01 challenge, I would like mail.boubou.me and mail.datanetwork.cloud to be able to pass the acmé HTTP-01 challenge, for everything else I use the challenge DNS-01, but unfortunately I cannot run it with Mailcow (self-hosted mail solution) and the developers do not intend to do so at the moment because the workload would be too heavy. and for the moment every 3 months I have to redirect port 80 and 443 directly on the mail server to renew the certificates.
Thanks for your help


#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------

global
    daemon
    user                haproxy
    group               haproxy
    log                 /dev/log local6 notice
    log                 /dev/log local5 info
    maxconn             100000
    chroot              /var/lib/haproxy
    pidfile             /run/haproxy.pid
    stats socket        /var/run/haproxy/admin.sock mode 777 level admin

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------

defaults
    mode                 tcp
    option               tcplog
    log                  global
    option               dontlognull
    timeout connect      5000
    timeout client       50000
    timeout server       50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

#---------------------------------------------------------------------
# dedicated stats page
#---------------------------------------------------------------------

listen stats
    mode http
    bind :22222
    stats enable
    stats hide-version
    stats uri            /stats
    stats realm          HAProxy-Statistics
    stats auth           login:Password
    stats refresh        30s
#    stats admin if TRUE

#---------------------------------------------------------------------
# Front end Acme Challenge
#---------------------------------------------------------------------

frontend datanetwork.cloud:80
    bind *:80
    mode http
    option tcplog

#---------------------------------------------------------------------
# Check for Acme Challange and validate url
#---------------------------------------------------------------------

    acl test_acme                          path_beg /.well-known/acme-challenge/
    acl mailcowdatanetwork_host hdr(host)  -i mail.datanetwork.cloud
    acl mailcowboubou_host hdr(host)       -i mail.boubou.me

#---------------------------------------------------------------------
# If no Acme Challenge redirect HTTPS 
#---------------------------------------------------------------------

    redirect scheme https code 301 if !test_acme

#---------------------------------------------------------------------
# On Acme Challenge forward :80 to backend server
#---------------------------------------------------------------------

    use_backend le_mailcowdatanetwork_backend   if test_acme mailcowdatanetwork_host
    use_backend le_mailcowboubou_backend        if test_acme mailcowboubou_host

#---------------------------------------------------------------------
# frontend normal https traffic to valid urls
#---------------------------------------------------------------------
frontend datanetwork.cloud:443
  bind   *:443
  mode   tcp
  option tcplog

  tcp-request inspect-delay 10s
  tcp-request content accept if { req.ssl_hello_type 1 }

  use_backend backend_mailcowdatanetwork   if { req.ssl_sni -m end   mail.datanetwork.cloud }

#---------------------------------------------------------------------
# frontend normal https traffic to valid urls
#---------------------------------------------------------------------
frontend boubou.me:443
  bind   *:443
  mode   tcp
  option tcplog

  tcp-request inspect-delay 10s
  tcp-request content accept if { req.ssl_hello_type 1 }

  use_backend backend_mailcowboubou   if { req.ssl_sni -m end   mail.boubou.me }

#---------------------------------------------------------------------
# Renew certificate nextcloud server
#---------------------------------------------------------------------
backend le_mailcowdatanetwork_backend
  mode http
  server letsencrypt_mailcowdatanetwork_server 192.168.1.7:80 check

backend le_mailcowboubou_backend
  mode http
  server letsencrypt_mailcowboubou_server 192.168.1.7:80 check

#---------------------------------------------------------------------
# Frontend to redirect HTTP to HTTPS with code 301
#---------------------------------------------------------------------

frontend http-redirect
    mode http
    bind :80 v4v6
    http-request redirect scheme https code 301

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------

frontend main_https_listen
    bind :443 v4v6
    mode                tcp
    option              tcplog
    log                 global
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }

#---------------------------------------------------------------------
# Common HAProxy nodes configuration
#---------------------------------------------------------------------

# -------------------------------
# ACLs
# -------------------------------

acl acl_nextcloud               req.ssl_sni -i xxxxxxxxxx.datanetwork.cloud 	www.xxxxxxx.datanetwork.cloud
acl acl_ncs                     req.ssl_sni -i xxx.datanetwork.cloud 		www.xxxxx.datanetwork.cloud
acl acl_phpnextcloud            req.ssl_sni -i xxxxxxx.datanetwork.cloud 	www.xxxxxxxx.datanetwork.cloud
acl acl_mailcowdatanetwork      req.ssl_sni -i mail.datanetwork.cloud 		www.mail.datanetwork.cloud
acl acl_mailcowboubou           req.ssl_sni -i mail.boubou.me 			www.mail.boubou.me
acl acl_freebox                 req.ssl_sni -i xxxxxxx.datanetwork.cloud 	www.xxxxxx.datanetwork.cloud
acl acl_plex                    req.ssl_sni -i xxxxxxx.datanetwork.cloud 		www.xxxxxx.datanetwork.cloud
acl acl_tautulli                req.ssl_sni -i xxxxxxx.datanetwork.cloud 	www.xxxxxxx.datanetwork.cloud
acl acl_proxy                   req.ssl_sni -i xxxxxxxx.datanetwork.cloud 		www.xxxxxx.datanetwork.cloud
acl acl_proxystat               req.ssl_sni -i xxxxxxxxxxx.datanetwork.cloud 	www.xxxxxx.datanetwork.cloud
acl acl_lenovo                  req.ssl_sni -i xxxxxx.datanetwork.cloud 	www.xxxxxx.datanetwork.cloud
acl acl_mx                      req.ssl_sni -i xxxx.datanetwork.cloud 		www.xxxxxx.datanetwork.cloud
acl acl_nas                     req.ssl_sni -i xxxxxx.datanetwork.cloud 		www.xxxxxxx.datanetwork.cloud
acl acl_readynas                req.ssl_sni -i xxxxxxx.datanetwork.cloud 	www.xxxxx.datanetwork.cloud
acl acl_blog                    req.ssl_sni -i xxxxx.boubou.me			www.xxxxxxx.boubou.me

# -------------------------------
# Conditions
# -------------------------------

use_backend backend_nextcloud if acl_nextcloud
use_backend backend_ncs if acl_ncs
use_backend backend_phpnextcloud if acl_phpnextcloud
use_backend backend_mailcowdatanetwork if acl_mailcowdatanetwork
use_backend backend_mailcowboubou if acl_mailcowboubou
use_backend backend_freebox if acl_freebox
use_backend backend_plex if acl_plex
use_backend backend_tautulli if acl_tautulli
use_backend backend_proxy if acl_proxy
use_backend backend_proxystat if acl_proxystat
use_backend backend_lenovo if acl_lenovo
use_backend backend_mx if acl_mx
use_backend backend_nas if acl_nas
use_backend backend_readynas if acl_readynas
use_backend backend_blog if acl_blog

#---------------------------------------------------------------------
# Backends
#---------------------------------------------------------------------

# APP 1 NEXTCLOUD
backend backend_nextcloud
    description NEXTCLOUD
    mode tcp
    option ssl-hello-chk
    server server_nextcloud 192.168.1.6:443 check send-proxy

# APP 2 NCS NEXTCLOUD STATS
backend backend_ncs
    description NCS NEXTCLOUD STATS
    mode tcp
    option ssl-hello-chk
    server server_ncs 192.168.1.6:444 check send-proxy-v2

# APP 3 PHP NCS NEXTCLOUD
backend backend_phpnextcloud
    description PHP NEXTCLOUD
    mode tcp
    option ssl-hello-chk
    server server_phpnextcloud 192.168.1.6:444 check send-proxy-v2

# APP 4 MAILCOW DATANETWORK
backend backend_mailcowdatanetwork
    description MAILCOW DATANETWORK
    mode tcp
    option ssl-hello-chk
    server server_mailcowdatanetwork 192.168.1.7:443 check

# APP 5 MAILCOW BOUBOU
backend backend_mailcowboubou
    description MAILCOW BOUBOU
    mode tcp
    option ssl-hello-chk
    server server_mailcowboubou 192.168.1.7:443 check

# APP 6 FREEBOX DELTA 
backend backend_freebox
    description FREEBOX DELTA
    mode tcp
    option ssl-hello-chk
    server server_freebox 127.0.0.1:444 check send-proxy-v2

# APP 7 PLEX
backend backend_plex
    description PLEX
    mode tcp
    option ssl-hello-chk
    server server_plex 127.0.0.1:444 check send-proxy-v2

# APP 8 TAUTULLI
backend backend_tautulli
    description TAUTULLI
    mode tcp
    option ssl-hello-chk
    server server_tautulli 127.0.0.1:444 check send-proxy-v2

# APP 9 PROXY NETDATA
backend backend_proxy
    description PROXY NETDATA
    mode tcp
    option ssl-hello-chk
    server server_proxy 127.0.0.1:444 check send-proxy-v2

# APP 10 PROXY STATS
backend backend_proxystat
    description HAPROXY STATS
    mode tcp
    option ssl-hello-chk
    server server_proxystat 127.0.0.1:444 check send-proxy-v2

# APP 11 NETDATA LENOVO TS-150
backend backend_lenovo
    description TS150 NETDATA
    mode tcp
    option ssl-hello-chk
    server server_lenovo 127.0.0.1:444 check send-proxy-v2

# APP 12 MX NETDATA
backend backend_mx
    description MX NETDATA
    mode tcp
    option ssl-hello-chk
    server server_mx 127.0.0.1:444 check send-proxy-v2

# APP 13 NAS NETDATA
backend backend_nas
    description NAS NETDATA
    mode tcp
    option ssl-hello-chk
    server server_nas 127.0.0.1:444 check send-proxy-v2

# APP 14 READYNAS
backend backend_readynas
    description READYNAS
    mode tcp
    option ssl-hello-chk
    server server_readynas 127.0.0.1:444 check send-proxy-v2

# APP 15 BLOG
backend backend_blog
    description BLOG
    mode tcp
    option ssl-hello-chk
    server server_blog 192.168.1.6:444 check send-proxy-v2

lukastribus · February 21, 2024, 2:44pm

I don’t see anything wrong with it. Check your logs and confirm that you are passing the request through.

Boubou · February 22, 2024, 10:46am

Hi
I managed to renew the let’s encrypt certificates, for this I deleted the following lines:

Boubou:

#---------------------------------------------------------------------
# frontend normal https traffic to valid urls
#---------------------------------------------------------------------
frontend datanetwork.cloud:443
  bind   *:443
  mode   tcp
  option tcplog

  tcp-request inspect-delay 10s
  tcp-request content accept if { req.ssl_hello_type 1 }

  use_backend backend_mailcowdatanetwork   if { req.ssl_sni -m end   mail.datanetwork.cloud }

#---------------------------------------------------------------------
# frontend normal https traffic to valid urls
#---------------------------------------------------------------------
frontend boubou.me:443
  bind   *:443
  mode   tcp
  option tcplog

  tcp-request inspect-delay 10s
  tcp-request content accept if { req.ssl_hello_type 1 }

  use_backend backend_mailcowboubou   if { req.ssl_sni -m end   mail.boubou.me }

and I had problems with the autodiscover and autoconfig verification during the renewal, so I added the following lines:


#---------------------------------------------------------------------
# On Acme Challenge forward :80 to backend server
#---------------------------------------------------------------------

    use_backend le_mailcowdatanetwork_backend               if test_acme mailcowdatanetwork_host
    use_backend le_mailcowboubou_backend                    if test_acme mailcowboubou_host
    use_backend le_mailcowdatanetworkautoconfig_backend     if test_acme mailcowdatanetworkautoconfig_host
    use_backend le_mailcowboubouautoconfig_backend          if test_acme mailcowboubouautoconfig_host
    use_backend le_mailcowdatanetworkautodiscover_backend   if test_acme mailcowdatanetworkautodiscover_host 
    use_backend le_mailcowboubouautodiscover_backend        if test_acme mailcowboubouautodiscover_host

#---------------------------------------------------------------------
# Renew certificate nextcloud server
#---------------------------------------------------------------------
backend le_mailcowdatanetwork_backend
  mode http
  server letsencrypt_mailcowdatanetwork_server 192.168.1.7:80 check

backend le_mailcowboubou_backend
  mode http
  server letsencrypt_mailcowboubou_server 192.168.1.7:80 check

backend le_mailcowdatanetworkautoconfig_backend
  mode http
  server letsencrypt_mailcowdatanetworkautoconfig_server 192.168.1.7:80 check

backend le_mailcowboubouautoconfig_backend
  mode http
  server letsencrypt_mailcowboubouautoconfig_server 192.168.1.7:80 check

backend le_mailcowdatanetworkautodiscover_backend
  mode http
  server letsencrypt_mailcowdatanetworkautodiscover_server 192.168.1.7:80 check

backend le_mailcowboubouautodiscover_backend
  mode http
  server letsencrypt_mailcowbouboudiscover_server 192.168.1.7:80 check

and now the renewal or creation of certificates works with the HTTP-01 challenge,

Here is the final configuration file, if you see any errors, thank you in advance for telling me.


#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------

global
    daemon
    user                haproxy
    group               haproxy
    log                 /dev/log local6 notice
    log                 /dev/log local5 info
    maxconn             100000
    chroot              /var/lib/haproxy
    pidfile             /run/haproxy.pid
    stats socket        /var/run/haproxy/admin.sock mode 777 level admin

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------

defaults
    mode                 tcp
    option               tcplog
    log                  global
    option               dontlognull
    timeout connect      5000
    timeout client       50000
    timeout server       50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

#---------------------------------------------------------------------
# dedicated stats page
#---------------------------------------------------------------------

listen stats
    mode http
    bind :22222
    stats enable
    stats hide-version
    stats uri            /stats
    stats realm          HAProxy-Statistics
    stats auth           loguin:@XXXXXXX
    stats refresh        30s
#    stats admin if TRUE

#---------------------------------------------------------------------
# Front end Acme Challenge
#---------------------------------------------------------------------

frontend datanetwork.cloud:80
    bind :80 v4v6
    mode http
    option tcplog

#---------------------------------------------------------------------
# Front end Acme Challenge
#---------------------------------------------------------------------

frontend boubou.me:80
    bind :80 v4v6
    mode http
    option tcplog

#---------------------------------------------------------------------
# Check for Acme Challenge and validate url
#---------------------------------------------------------------------

    acl test_acme                          path_beg /.well-known/acme-challenge/
    acl mailcowdatanetwork_host hdr(host)              -i mail.datanetwork.cloud
    acl mailcowboubou_host hdr(host)                   -i mail.boubou.me
    acl mailcowdatanetworkautoconfig_host hdr(host)    -i autoconfig.datanetwork.cloud
    acl mailcowboubouautoconfig_host hdr(host)         -i autoconfig.boubou.me
    acl mailcowdatanetworkautodiscover_host hdr(host)  -i autodiscover.datanetwork.cloud
    acl mailcowboubouautodiscover_host hdr(host)       -i autodiscover.boubou.me

#---------------------------------------------------------------------
# If no Acme Challenge redirect HTTPS 
#---------------------------------------------------------------------

    redirect scheme https code 301 if !test_acme

#---------------------------------------------------------------------
# On Acme Challenge forward :80 to backend server
#---------------------------------------------------------------------

    use_backend le_mailcowdatanetwork_backend               if test_acme mailcowdatanetwork_host
    use_backend le_mailcowboubou_backend                    if test_acme mailcowboubou_host
    use_backend le_mailcowdatanetworkautoconfig_backend     if test_acme mailcowdatanetworkautoconfig_host
    use_backend le_mailcowboubouautoconfig_backend          if test_acme mailcowboubouautoconfig_host
    use_backend le_mailcowdatanetworkautodiscover_backend   if test_acme mailcowdatanetworkautodiscover_host 
    use_backend le_mailcowboubouautodiscover_backend        if test_acme mailcowboubouautodiscover_host 


#---------------------------------------------------------------------
# Renew certificate Mailcow server
#---------------------------------------------------------------------
backend le_mailcowdatanetwork_backend
  mode http
  server letsencrypt_mailcowdatanetwork_server 192.168.1.7:80 check

backend le_mailcowboubou_backend
  mode http
  server letsencrypt_mailcowboubou_server 192.168.1.7:80 check

backend le_mailcowdatanetworkautoconfig_backend
  mode http
  server letsencrypt_mailcowdatanetworkautoconfig_server 192.168.1.7:80 check

backend le_mailcowboubouautoconfig_backend
  mode http
  server letsencrypt_mailcowboubouautoconfig_server 192.168.1.7:80 check

backend le_mailcowdatanetworkautodiscover_backend
  mode http
  server letsencrypt_mailcowdatanetworkautodiscover_server 192.168.1.7:80 check

backend le_mailcowboubouautodiscover_backend
  mode http
  server letsencrypt_mailcowbouboudiscover_server 192.168.1.7:80 check

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------

frontend main_https_listen
    bind :443 v4v6
    mode                tcp
    option              tcplog
    log                 global
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }

#---------------------------------------------------------------------
# Common HAProxy nodes configuration
#---------------------------------------------------------------------

# -------------------------------
# ACLs
# -------------------------------

acl acl_nextcloud               req.ssl_sni -i XXXXXX.datanetwork.cloud 	www.nextcloud.datanetwork.cloud
acl acl_ncs                     req.ssl_sni -i XXXX.datanetwork.cloud 		www.ncs.datanetwork.cloud
acl acl_phpnextcloud            req.ssl_sni -i XXXX.datanetwork.cloud 	www.phpncs.datanetwork.cloud
acl acl_mailcowdatanetwork      req.ssl_sni -i mail.datanetwork.cloud 		www.mail.datanetwork.cloud
acl acl_mailcowboubou           req.ssl_sni -i mail.boubou.me 			www.mail.boubou.me
acl acl_freebox                 req.ssl_sni -i XXXX.datanetwork.cloud 	www.freebox.datanetwork.cloud
acl acl_plex                    req.ssl_sni -i XXXX.datanetwork.cloud 		www.plex.datanetwork.cloud
acl acl_tautulli                req.ssl_sni -i XXXX.datanetwork.cloud 	www.tautulli.datanetwork.cloud
acl acl_proxy                   req.ssl_sni -i XXXX.datanetwork.cloud 		www.proxy.datanetwork.cloud
acl acl_proxystat               req.ssl_sni -i XXXXt.datanetwork.cloud 	www.proxystat.datanetwork.cloud
acl acl_lenovo                  req.ssl_sni -i XXXX.datanetwork.cloud 	www.lenovo.datanetwork.cloud
acl acl_mx                      req.ssl_sni -i XXXX.datanetwork.cloud 		www.mx.datanetwork.cloud
acl acl_nas                     req.ssl_sni -i XXXX.datanetwork.cloud 		www.nas.datanetwork.cloud
acl acl_readynas                req.ssl_sni -i XXXX.datanetwork.cloud 	www.readynas.datanetwork.cloud
acl acl_blog                    req.ssl_sni -i XXXX.boubou.me			www.blog.boubou.me

# -------------------------------
# Conditions
# -------------------------------

use_backend backend_nextcloud if acl_nextcloud
use_backend backend_ncs if acl_ncs
use_backend backend_phpnextcloud if acl_phpnextcloud
use_backend backend_mailcowdatanetwork if acl_mailcowdatanetwork
use_backend backend_mailcowboubou if acl_mailcowboubou
use_backend backend_freebox if acl_freebox
use_backend backend_plex if acl_plex
use_backend backend_tautulli if acl_tautulli
use_backend backend_proxy if acl_proxy
use_backend backend_proxystat if acl_proxystat
use_backend backend_lenovo if acl_lenovo
use_backend backend_mx if acl_mx
use_backend backend_nas if acl_nas
use_backend backend_readynas if acl_readynas
use_backend backend_blog if acl_blog

#---------------------------------------------------------------------
# Backends
#---------------------------------------------------------------------

# APP 1 NEXTCLOUD
backend backend_nextcloud
    description NEXTCLOUD
    mode tcp
    option ssl-hello-chk
    server server_nextcloud 192.168.1.5:443 check send-proxy

# APP 2 NCS NEXTCLOUD STATS
backend backend_ncs
    description NCS NEXTCLOUD STATS
    mode tcp
    option ssl-hello-chk
    server server_ncs 192.168.1.5:444 check send-proxy-v2

# APP 3 PHP NCS NEXTCLOUD
backend backend_phpnextcloud
    description PHP NEXTCLOUD
    mode tcp
    option ssl-hello-chk
    server server_phpnextcloud 192.168.1.5:444 check send-proxy-v2

# APP 4 MAILCOW DATANETWORK
backend backend_mailcowdatanetwork
    description MAILCOW DATANETWORK
    mode tcp
    option ssl-hello-chk
    server server_mailcowdatanetwork 192.168.1.7:443 check

# APP 5 MAILCOW BOUBOU
backend backend_mailcowboubou
    description MAILCOW BOUBOU
    mode tcp
    option ssl-hello-chk
    server server_mailcowboubou 192.168.1.7:443 check

# APP 6 FREEBOX DELTA 
backend backend_freebox
    description FREEBOX DELTA
    mode tcp
    option ssl-hello-chk
    server server_freebox 127.0.0.1:444 check send-proxy-v2

# APP 7 PLEX
backend backend_plex
    description PLEX
    mode tcp
    option ssl-hello-chk
    server server_plex 127.0.0.1:444 check send-proxy-v2

# APP 8 TAUTULLI
backend backend_tautulli
    description TAUTULLI
    mode tcp
    option ssl-hello-chk
    server server_tautulli 127.0.0.1:444 check send-proxy-v2

# APP 9 PROXY NETDATA
backend backend_proxy
    description PROXY NETDATA
    mode tcp
    option ssl-hello-chk
    server server_proxy 127.0.0.1:444 check send-proxy-v2

# APP 10 PROXY STATS
backend backend_proxystat
    description HAPROXY STATS
    mode tcp
    option ssl-hello-chk
    server server_proxystat 127.0.0.1:444 check send-proxy-v2

# APP 11 NETDATA LENOVO TS-150
backend backend_lenovo
    description TS150 NETDATA
    mode tcp
    option ssl-hello-chk
    server server_lenovo 127.0.0.1:444 check send-proxy-v2

# APP 12 MX NETDATA
backend backend_mx
    description MX NETDATA
    mode tcp
    option ssl-hello-chk
    server server_mx 127.0.0.1:444 check send-proxy-v2

# APP 13 NAS NETDATA
backend backend_nas
    description NAS NETDATA
    mode tcp
    option ssl-hello-chk
    server server_nas 127.0.0.1:444 check send-proxy-v2

# APP 14 READYNAS
backend backend_readynas
    description READYNAS
    mode tcp
    option ssl-hello-chk
    server server_readynas 127.0.0.1:444 check send-proxy-v2

# APP 15 BLOG
backend backend_blog
    description BLOG
    mode tcp
    option ssl-hello-chk
    server server_blog 192.168.1.5:444 check send-proxy-v2

Boubou · February 24, 2024, 4:28pm

And here is the Acme log file

mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:00 CET 2024 - Waiting for Docker API...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:00 CET 2024 - Docker API OK
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:00 CET 2024 - Waiting for Postfix...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:00 CET 2024 - Postfix OK
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:00 CET 2024 - Waiting for Dovecot...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:00 CET 2024 - Dovecot OK
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:00 CET 2024 - Restoring mailcow snake-oil certificates and restarting script...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:00 CET 2024 - Waiting for Docker API...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:00 CET 2024 - Docker API OK
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:00 CET 2024 - Waiting for Postfix...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:00 CET 2024 - Postfix OK
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:00 CET 2024 - Waiting for Dovecot...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:00 CET 2024 - Dovecot OK
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:00 CET 2024 - Waiting for database...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:00 CET 2024 - Database OK
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:00 CET 2024 - Waiting for Nginx...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:00 CET 2024 - Nginx OK
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:00 CET 2024 - Waiting for resolver...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:00 CET 2024 - Resolver OK
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:00 CET 2024 - Waiting for domain table...
mailcowdockerized-acme-mailcow-1  | OK
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:00 CET 2024 - Initializing, please wait...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:01 CET 2024 - Generating missing domain private rsa key...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:05 CET 2024 - Generating missing Lets Encrypt account key...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:05 CET 2024 - Valid email address, using XXXXX@XXXXX.XX for registration
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:08 CET 2024 - Detecting IP addresses...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:09 CET 2024 - OK: XX.XX.X.XX, XXXX:e0a:831:7680:XXXX:6fff:fe32:XXXX
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:09 CET 2024 - Found AAAA record for autodiscover.boubou.me: XXXX:e0a:831:7680:baac:6fff:fe32:XXXX - skipping A record check
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:09 CET 2024 - Confirmed AAAA record with IP XXXX:0e0a:0831:7680:baac:6fff:fe32:XXXX
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:09 CET 2024 - Found AAAA record for autoconfig.boubou.me: XXXX:e0a:831:7680:baac:6fff:fe32:XXXX - skipping A record check
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:09 CET 2024 - Confirmed AAAA record with IP 2a01:0e0a:0831:7680:baac:6fff:fe32:5e5e
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:09 CET 2024 - Found AAAA record for autodiscover.datanetwork.cloud:XXXX:e0a:831:7680:baac:6fff:fe32:XXXX - skipping A record check
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:09 CET 2024 - Confirmed AAAA record with IP XXXX:0e0a:0831:7680:baac:6fff:fe32:XXXX
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:09 CET 2024 - Found AAAA record for autoconfig.datanetwork.cloud:XXXX:e0a:831:7680:baac:6fff:fe32:XXXX - skipping A record check
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:09 CET 2024 - Confirmed AAAA record with IP XXXX:0e0a:0831:7680:baac:6fff:fe32:XXXX
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:09 CET 2024 - Found AAAA record for mail.datanetwork.cloud:XXXX:e0a:831:7680:baac:6fff:fe32:XXXX - skipping A record check
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:09 CET 2024 - Confirmed AAAA record with IP XXXX:0e0a:0831:7680:baac:6fff:fe32:XXXX
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:09 CET 2024 - Found AAAA record for mail.boubou.me: XXXX:e0a:831:7680:baac:6fff:fe32:XXXX- skipping A record check
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:09 CET 2024 - Confirmed AAAA record with IP XXXX:0e0a:0831:7680:baac:6fff:fe32:XXXX
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:09 CET 2024 - Certificate /var/lib/acme/mail.datanetwork.cloud/cert.pem missing or changed domains 'mail.datanetwork.cloud mail.boubou.me' - start obtaining
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:09 CET 2024 - Copying shared private key for this certificate...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:09 CET 2024 - Checking resolver...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:09 CET 2024 - Resolver OK
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:09 CET 2024 - Using command acme-tiny  --contact mailto:XXXX@XXXX.XX --account-key /var/lib/acme/acme/account.pem --disable-check --csr /var/lib/acme/mail.datanetwork.cloud/acme.csr --acme-dir /var/www/acme/
mailcowdockerized-acme-mailcow-1  | Parsing account key...
mailcowdockerized-acme-mailcow-1  | Parsing CSR...
mailcowdockerized-acme-mailcow-1  | Found domains: mail.boubou.me, mail.datanetwork.cloud
mailcowdockerized-acme-mailcow-1  | Getting directory...
mailcowdockerized-acme-mailcow-1  | Directory found!
mailcowdockerized-acme-mailcow-1  | Registering account...
mailcowdockerized-acme-mailcow-1  | Registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/XXXXXX
mailcowdockerized-acme-mailcow-1  | Updated contact details:
mailcowdockerized-acme-mailcow-1  | mailto:XXXX@XXXX.XXX
mailcowdockerized-acme-mailcow-1  | Creating new order...
mailcowdockerized-acme-mailcow-1  | Order created!
mailcowdockerized-acme-mailcow-1  | Verifying mail.boubou.me...
mailcowdockerized-acme-mailcow-1  | mail.boubou.me verified!
mailcowdockerized-acme-mailcow-1  | Verifying mail.datanetwork.cloud...
mailcowdockerized-acme-mailcow-1  | mail.datanetwork.cloud verified!
mailcowdockerized-acme-mailcow-1  | Signing certificate...
mailcowdockerized-acme-mailcow-1  | Certificate signed!
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:49 CET 2024 - Deploying certificate /var/lib/acme/mail.datanetwork.cloud/cert.pem...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:49 CET 2024 - Verified hashes.
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:49 CET 2024 - Certificate successfully obtained
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:49 CET 2024 - Certificate /var/lib/acme/autodiscover.boubou.me/cert.pem missing or changed domains 'autodiscover.boubou.me autoconfig.boubou.me' - start obtaining
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:49 CET 2024 - Copying shared private key for this certificate...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:49 CET 2024 - Checking resolver...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:49 CET 2024 - Resolver OK
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:20:49 CET 2024 - Using command acme-tiny   --account-key /var/lib/acme/acme/account.pem --disable-check --csr /var/lib/acme/autodiscover.boubou.me/acme.csr --acme-dir /var/www/acme/
mailcowdockerized-acme-mailcow-1  | Parsing account key...
mailcowdockerized-acme-mailcow-1  | Parsing CSR...
mailcowdockerized-acme-mailcow-1  | Found domains: autodiscover.boubou.me, autoconfig.boubou.me
mailcowdockerized-acme-mailcow-1  | Getting directory...
mailcowdockerized-acme-mailcow-1  | Directory found!
mailcowdockerized-acme-mailcow-1  | Registering account...
mailcowdockerized-acme-mailcow-1  | Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/XXXXXXX
mailcowdockerized-acme-mailcow-1  | Creating new order...
mailcowdockerized-acme-mailcow-1  | Order created!
mailcowdockerized-acme-mailcow-1  | Verifying autoconfig.boubou.me...
mailcowdockerized-acme-mailcow-1  | autoconfig.boubou.me verified!
mailcowdockerized-acme-mailcow-1  | Verifying autodiscover.boubou.me...
mailcowdockerized-acme-mailcow-1  | autodiscover.boubou.me verified!
mailcowdockerized-acme-mailcow-1  | Signing certificate...
mailcowdockerized-acme-mailcow-1  | Certificate signed!
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:21:32 CET 2024 - Deploying certificate /var/lib/acme/autodiscover.boubou.me/cert.pem...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:21:32 CET 2024 - Verified hashes.
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:21:32 CET 2024 - Certificate successfully obtained
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:21:32 CET 2024 - Certificate /var/lib/acme/autodiscover.datanetwork.cloud/cert.pem missing or changed domains 'autodiscover.datanetwork.cloud autoconfig.datanetwork.cloud' - start obtaining
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:21:32 CET 2024 - Copying shared private key for this certificate...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:21:32 CET 2024 - Checking resolver...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:21:32 CET 2024 - Resolver OK
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:21:32 CET 2024 - Using command acme-tiny   --account-key /var/lib/acme/acme/account.pem --disable-check --csr /var/lib/acme/autodiscover.datanetwork.cloud/acme.csr --acme-dir /var/www/acme/
mailcowdockerized-acme-mailcow-1  | Parsing account key...
mailcowdockerized-acme-mailcow-1  | Parsing CSR...
mailcowdockerized-acme-mailcow-1  | Found domains: autoconfig.datanetwork.cloud, autodiscover.datanetwork.cloud
mailcowdockerized-acme-mailcow-1  | Getting directory...
mailcowdockerized-acme-mailcow-1  | Directory found!
mailcowdockerized-acme-mailcow-1  | Registering account...
mailcowdockerized-acme-mailcow-1  | Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/XXXXXX
mailcowdockerized-acme-mailcow-1  | Creating new order...
mailcowdockerized-acme-mailcow-1  | Order created!
mailcowdockerized-acme-mailcow-1  | Verifying autoconfig.datanetwork.cloud...
mailcowdockerized-acme-mailcow-1  | autoconfig.datanetwork.cloud verified!
mailcowdockerized-acme-mailcow-1  | Verifying autodiscover.datanetwork.cloud...
mailcowdockerized-acme-mailcow-1  | autodiscover.datanetwork.cloud verified!
mailcowdockerized-acme-mailcow-1  | Signing certificate...
mailcowdockerized-acme-mailcow-1  | Certificate signed!
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:22:12 CET 2024 - Deploying certificate /var/lib/acme/autodiscover.datanetwork.cloud/cert.pem...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:22:12 CET 2024 - Verified hashes.
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:22:12 CET 2024 - Certificate successfully obtained
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:22:12 CET 2024 - Reloading or restarting services... (1)
mailcowdockerized-acme-mailcow-1  | Restarting 4f87d08b4efdd788fa9dac8de8f6d5d884dd6de2c79b0133a80abb1XXXXb1c5...
mailcowdockerized-acme-mailcow-1  | command completed successfully
mailcowdockerized-acme-mailcow-1  | Restarting 88ec0e1a93d50f989fafce44aba9e52810679e0a1bd9133XXXXXe39289d0...
mailcowdockerized-acme-mailcow-1  | command completed successfully
mailcowdockerized-acme-mailcow-1  | Restarting 361f54d3f3c09bd221644c944d8fc513d59512a570e56XXXX9acb9dac8c737...
mailcowdockerized-acme-mailcow-1  | command completed successfully
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:22:22 CET 2024 - Waiting for containers to settle...
mailcowdockerized-acme-mailcow-1  | Sat Feb 24 17:22:32 CET 2024 - Certificates successfully requested and renewed where required, sleeping one day

Topic		Replies	Views
ACME Challenge Passthrough Configuration Samples	1	1936	August 15, 2023
Pfsense HAProxy Error when trying to access ACME certificate Help!	1	489	August 24, 2023
Need help with a HTTP and HTTPS Proxy Config for multiple backend servers Help!	1	785	January 19, 2021
Letsencrypt integration with HAProxy and acme.sh - quirks Help!	3	818	November 15, 2023
Pfsense haproxy and acme Help!	0	208	April 5, 2024

Configuration help challenge HTTP-01 ACME

Global settings

common defaults that all the ‘listen’ and ‘backend’ sections will

use if not designated in their block

dedicated stats page

stats admin if TRUE

Frontend to redirect HTTP to HTTPS with code 301

main frontend which proxys to the backends

Common HAProxy nodes configuration

-------------------------------

ACLs

-------------------------------

-------------------------------

Conditions

-------------------------------

Backends

Related topics