Configuration help challenge HTTP-01 ACME

Boubou · February 22, 2024, 10:46am

Hi
I managed to renew the let’s encrypt certificates, for this I deleted the following lines:

Boubou:

#---------------------------------------------------------------------
# frontend normal https traffic to valid urls
#---------------------------------------------------------------------
frontend datanetwork.cloud:443
  bind   *:443
  mode   tcp
  option tcplog

  tcp-request inspect-delay 10s
  tcp-request content accept if { req.ssl_hello_type 1 }

  use_backend backend_mailcowdatanetwork   if { req.ssl_sni -m end   mail.datanetwork.cloud }

#---------------------------------------------------------------------
# frontend normal https traffic to valid urls
#---------------------------------------------------------------------
frontend boubou.me:443
  bind   *:443
  mode   tcp
  option tcplog

  tcp-request inspect-delay 10s
  tcp-request content accept if { req.ssl_hello_type 1 }

  use_backend backend_mailcowboubou   if { req.ssl_sni -m end   mail.boubou.me }

and I had problems with the autodiscover and autoconfig verification during the renewal, so I added the following lines:


#---------------------------------------------------------------------
# On Acme Challenge forward :80 to backend server
#---------------------------------------------------------------------

    use_backend le_mailcowdatanetwork_backend               if test_acme mailcowdatanetwork_host
    use_backend le_mailcowboubou_backend                    if test_acme mailcowboubou_host
    use_backend le_mailcowdatanetworkautoconfig_backend     if test_acme mailcowdatanetworkautoconfig_host
    use_backend le_mailcowboubouautoconfig_backend          if test_acme mailcowboubouautoconfig_host
    use_backend le_mailcowdatanetworkautodiscover_backend   if test_acme mailcowdatanetworkautodiscover_host 
    use_backend le_mailcowboubouautodiscover_backend        if test_acme mailcowboubouautodiscover_host

#---------------------------------------------------------------------
# Renew certificate nextcloud server
#---------------------------------------------------------------------
backend le_mailcowdatanetwork_backend
  mode http
  server letsencrypt_mailcowdatanetwork_server 192.168.1.7:80 check

backend le_mailcowboubou_backend
  mode http
  server letsencrypt_mailcowboubou_server 192.168.1.7:80 check

backend le_mailcowdatanetworkautoconfig_backend
  mode http
  server letsencrypt_mailcowdatanetworkautoconfig_server 192.168.1.7:80 check

backend le_mailcowboubouautoconfig_backend
  mode http
  server letsencrypt_mailcowboubouautoconfig_server 192.168.1.7:80 check

backend le_mailcowdatanetworkautodiscover_backend
  mode http
  server letsencrypt_mailcowdatanetworkautodiscover_server 192.168.1.7:80 check

backend le_mailcowboubouautodiscover_backend
  mode http
  server letsencrypt_mailcowbouboudiscover_server 192.168.1.7:80 check

and now the renewal or creation of certificates works with the HTTP-01 challenge,

Here is the final configuration file, if you see any errors, thank you in advance for telling me.


#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------

global
    daemon
    user                haproxy
    group               haproxy
    log                 /dev/log local6 notice
    log                 /dev/log local5 info
    maxconn             100000
    chroot              /var/lib/haproxy
    pidfile             /run/haproxy.pid
    stats socket        /var/run/haproxy/admin.sock mode 777 level admin

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------

defaults
    mode                 tcp
    option               tcplog
    log                  global
    option               dontlognull
    timeout connect      5000
    timeout client       50000
    timeout server       50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

#---------------------------------------------------------------------
# dedicated stats page
#---------------------------------------------------------------------

listen stats
    mode http
    bind :22222
    stats enable
    stats hide-version
    stats uri            /stats
    stats realm          HAProxy-Statistics
    stats auth           loguin:@XXXXXXX
    stats refresh        30s
#    stats admin if TRUE

#---------------------------------------------------------------------
# Front end Acme Challenge
#---------------------------------------------------------------------

frontend datanetwork.cloud:80
    bind :80 v4v6
    mode http
    option tcplog

#---------------------------------------------------------------------
# Front end Acme Challenge
#---------------------------------------------------------------------

frontend boubou.me:80
    bind :80 v4v6
    mode http
    option tcplog

#---------------------------------------------------------------------
# Check for Acme Challenge and validate url
#---------------------------------------------------------------------

    acl test_acme                          path_beg /.well-known/acme-challenge/
    acl mailcowdatanetwork_host hdr(host)              -i mail.datanetwork.cloud
    acl mailcowboubou_host hdr(host)                   -i mail.boubou.me
    acl mailcowdatanetworkautoconfig_host hdr(host)    -i autoconfig.datanetwork.cloud
    acl mailcowboubouautoconfig_host hdr(host)         -i autoconfig.boubou.me
    acl mailcowdatanetworkautodiscover_host hdr(host)  -i autodiscover.datanetwork.cloud
    acl mailcowboubouautodiscover_host hdr(host)       -i autodiscover.boubou.me

#---------------------------------------------------------------------
# If no Acme Challenge redirect HTTPS 
#---------------------------------------------------------------------

    redirect scheme https code 301 if !test_acme

#---------------------------------------------------------------------
# On Acme Challenge forward :80 to backend server
#---------------------------------------------------------------------

    use_backend le_mailcowdatanetwork_backend               if test_acme mailcowdatanetwork_host
    use_backend le_mailcowboubou_backend                    if test_acme mailcowboubou_host
    use_backend le_mailcowdatanetworkautoconfig_backend     if test_acme mailcowdatanetworkautoconfig_host
    use_backend le_mailcowboubouautoconfig_backend          if test_acme mailcowboubouautoconfig_host
    use_backend le_mailcowdatanetworkautodiscover_backend   if test_acme mailcowdatanetworkautodiscover_host 
    use_backend le_mailcowboubouautodiscover_backend        if test_acme mailcowboubouautodiscover_host 


#---------------------------------------------------------------------
# Renew certificate Mailcow server
#---------------------------------------------------------------------
backend le_mailcowdatanetwork_backend
  mode http
  server letsencrypt_mailcowdatanetwork_server 192.168.1.7:80 check

backend le_mailcowboubou_backend
  mode http
  server letsencrypt_mailcowboubou_server 192.168.1.7:80 check

backend le_mailcowdatanetworkautoconfig_backend
  mode http
  server letsencrypt_mailcowdatanetworkautoconfig_server 192.168.1.7:80 check

backend le_mailcowboubouautoconfig_backend
  mode http
  server letsencrypt_mailcowboubouautoconfig_server 192.168.1.7:80 check

backend le_mailcowdatanetworkautodiscover_backend
  mode http
  server letsencrypt_mailcowdatanetworkautodiscover_server 192.168.1.7:80 check

backend le_mailcowboubouautodiscover_backend
  mode http
  server letsencrypt_mailcowbouboudiscover_server 192.168.1.7:80 check

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------

frontend main_https_listen
    bind :443 v4v6
    mode                tcp
    option              tcplog
    log                 global
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }

#---------------------------------------------------------------------
# Common HAProxy nodes configuration
#---------------------------------------------------------------------

# -------------------------------
# ACLs
# -------------------------------

acl acl_nextcloud               req.ssl_sni -i XXXXXX.datanetwork.cloud 	www.nextcloud.datanetwork.cloud
acl acl_ncs                     req.ssl_sni -i XXXX.datanetwork.cloud 		www.ncs.datanetwork.cloud
acl acl_phpnextcloud            req.ssl_sni -i XXXX.datanetwork.cloud 	www.phpncs.datanetwork.cloud
acl acl_mailcowdatanetwork      req.ssl_sni -i mail.datanetwork.cloud 		www.mail.datanetwork.cloud
acl acl_mailcowboubou           req.ssl_sni -i mail.boubou.me 			www.mail.boubou.me
acl acl_freebox                 req.ssl_sni -i XXXX.datanetwork.cloud 	www.freebox.datanetwork.cloud
acl acl_plex                    req.ssl_sni -i XXXX.datanetwork.cloud 		www.plex.datanetwork.cloud
acl acl_tautulli                req.ssl_sni -i XXXX.datanetwork.cloud 	www.tautulli.datanetwork.cloud
acl acl_proxy                   req.ssl_sni -i XXXX.datanetwork.cloud 		www.proxy.datanetwork.cloud
acl acl_proxystat               req.ssl_sni -i XXXXt.datanetwork.cloud 	www.proxystat.datanetwork.cloud
acl acl_lenovo                  req.ssl_sni -i XXXX.datanetwork.cloud 	www.lenovo.datanetwork.cloud
acl acl_mx                      req.ssl_sni -i XXXX.datanetwork.cloud 		www.mx.datanetwork.cloud
acl acl_nas                     req.ssl_sni -i XXXX.datanetwork.cloud 		www.nas.datanetwork.cloud
acl acl_readynas                req.ssl_sni -i XXXX.datanetwork.cloud 	www.readynas.datanetwork.cloud
acl acl_blog                    req.ssl_sni -i XXXX.boubou.me			www.blog.boubou.me

# -------------------------------
# Conditions
# -------------------------------

use_backend backend_nextcloud if acl_nextcloud
use_backend backend_ncs if acl_ncs
use_backend backend_phpnextcloud if acl_phpnextcloud
use_backend backend_mailcowdatanetwork if acl_mailcowdatanetwork
use_backend backend_mailcowboubou if acl_mailcowboubou
use_backend backend_freebox if acl_freebox
use_backend backend_plex if acl_plex
use_backend backend_tautulli if acl_tautulli
use_backend backend_proxy if acl_proxy
use_backend backend_proxystat if acl_proxystat
use_backend backend_lenovo if acl_lenovo
use_backend backend_mx if acl_mx
use_backend backend_nas if acl_nas
use_backend backend_readynas if acl_readynas
use_backend backend_blog if acl_blog

#---------------------------------------------------------------------
# Backends
#---------------------------------------------------------------------

# APP 1 NEXTCLOUD
backend backend_nextcloud
    description NEXTCLOUD
    mode tcp
    option ssl-hello-chk
    server server_nextcloud 192.168.1.5:443 check send-proxy

# APP 2 NCS NEXTCLOUD STATS
backend backend_ncs
    description NCS NEXTCLOUD STATS
    mode tcp
    option ssl-hello-chk
    server server_ncs 192.168.1.5:444 check send-proxy-v2

# APP 3 PHP NCS NEXTCLOUD
backend backend_phpnextcloud
    description PHP NEXTCLOUD
    mode tcp
    option ssl-hello-chk
    server server_phpnextcloud 192.168.1.5:444 check send-proxy-v2

# APP 4 MAILCOW DATANETWORK
backend backend_mailcowdatanetwork
    description MAILCOW DATANETWORK
    mode tcp
    option ssl-hello-chk
    server server_mailcowdatanetwork 192.168.1.7:443 check

# APP 5 MAILCOW BOUBOU
backend backend_mailcowboubou
    description MAILCOW BOUBOU
    mode tcp
    option ssl-hello-chk
    server server_mailcowboubou 192.168.1.7:443 check

# APP 6 FREEBOX DELTA 
backend backend_freebox
    description FREEBOX DELTA
    mode tcp
    option ssl-hello-chk
    server server_freebox 127.0.0.1:444 check send-proxy-v2

# APP 7 PLEX
backend backend_plex
    description PLEX
    mode tcp
    option ssl-hello-chk
    server server_plex 127.0.0.1:444 check send-proxy-v2

# APP 8 TAUTULLI
backend backend_tautulli
    description TAUTULLI
    mode tcp
    option ssl-hello-chk
    server server_tautulli 127.0.0.1:444 check send-proxy-v2

# APP 9 PROXY NETDATA
backend backend_proxy
    description PROXY NETDATA
    mode tcp
    option ssl-hello-chk
    server server_proxy 127.0.0.1:444 check send-proxy-v2

# APP 10 PROXY STATS
backend backend_proxystat
    description HAPROXY STATS
    mode tcp
    option ssl-hello-chk
    server server_proxystat 127.0.0.1:444 check send-proxy-v2

# APP 11 NETDATA LENOVO TS-150
backend backend_lenovo
    description TS150 NETDATA
    mode tcp
    option ssl-hello-chk
    server server_lenovo 127.0.0.1:444 check send-proxy-v2

# APP 12 MX NETDATA
backend backend_mx
    description MX NETDATA
    mode tcp
    option ssl-hello-chk
    server server_mx 127.0.0.1:444 check send-proxy-v2

# APP 13 NAS NETDATA
backend backend_nas
    description NAS NETDATA
    mode tcp
    option ssl-hello-chk
    server server_nas 127.0.0.1:444 check send-proxy-v2

# APP 14 READYNAS
backend backend_readynas
    description READYNAS
    mode tcp
    option ssl-hello-chk
    server server_readynas 127.0.0.1:444 check send-proxy-v2

# APP 15 BLOG
backend backend_blog
    description BLOG
    mode tcp
    option ssl-hello-chk
    server server_blog 192.168.1.5:444 check send-proxy-v2

Topic		Replies	Views
ACME Challenge Passthrough Configuration Samples	1	2418	August 15, 2023
Pfsense HAProxy Error when trying to access ACME certificate Help!	1	593	August 24, 2023
Need help with a HTTP and HTTPS Proxy Config for multiple backend servers Help!	1	835	January 19, 2021
Letsencrypt integration with HAProxy and acme.sh - quirks Help!	3	1009	November 15, 2023
Help with HAProxy-Lua-ACME Help!	0	661	March 10, 2020

Configuration help challenge HTTP-01 ACME

Related topics