HAProxy community

Configure Haproxy and two nginx web servers with Letsencrypt

Hello everybody. I have configured Haproxy, behind it two Nginx servers, with Letsencrypt installed on one of them.
Config Haproxy:

log local2

chroot      /var/lib/haproxy
pidfile     /var/run/haproxy.pid
maxconn     4000
user        haproxy
group       haproxy
tune.ssl.default-dh-param 2048
stats socket /var/lib/haproxy/stats
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
mode                    http
log                     global
option                  httplog
option                  dontlognull
option http-server-close
option forwardfor       except
option                  redispatch
retries                 3
timeout http-request    10s
timeout queue           1m
timeout connect         30s
timeout client          30m
timeout server          30m
timeout http-keep-alive 10s
timeout check           30s
maxconn                 3000
cookie JSESSIONID prefix nocache
option tcplog

frontend http-in
    bind *:80
    reqadd X-Forwarded-Proto:\ http
    default_backend http-servers

backend http-servers
    balance roundrobin
    server web1 check cookie web1
    server web2 check cookie web2

frontend https-in
    bind *:443
    mode tcp

    default_backend https-servers

backend https-servers
    mode tcp
    option ssl-hello-chk
    balance roundrobin

    fullconn 200

    server webssl1 check-ssl verify none cookie webssl1 send-proxy
    server webssl2 check-ssl verify none cookie webssl2 send-proxy backup

    listen stats
    bind :8080
    stats enable
    stats uri /haproxy_stats
    stats auth admin:password

In DNS records set all domain name have public ip this Haproxy.
But, when i try configure certificates throught Letsencrypt, I get an error “Invalid response from”, when i change A records on ip address my nginx web servers on which install certbot, certificates generated correctly. What should I do to fix this problem ?

You are load-balancing traffic between the 2 nginx servers, this cannot possibly work.

Can you explain how you would like this work, since both nginx servers need to have the certificate? Are you copying the certificate to the other nginx server, if successfully obtained from LE?

Hi, thanks for the answer. After the certificate is successfully generated, I copy it to another web server using git.

Ok, then either you configure haproxy so even in HTTP on port 80 only the primary server is used (by declaring the backup keyword on the secondary server, just like you are already doing with HTTPS), or you need to manually route ACME traffic to the specific primary server.