Ubuntu 16.04.4 (Kernel 4.4.0-122-generic APR 23 2018)
HA-Proxy version 1.6.3 2015/12/25
cat /etc/haproxy/haproxy.cfg
global
maxconn 4096
tune.ssl.default-dh-param 2048
user haproxy
group haproxy
chroot /var/lib/haproxy
daemon
log 127.0.0.1 local0
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 10s
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DS
ssl-default-bind-options no-sslv3
defaults
maxconn 4096
log global
mode http
option httplog
option dontlognull
retries 3
option redispatch
option http-server-close
option forwardfor
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend www-http
bind *:80
mode http
option forwardfor
option http-server-close
option http-pretend-keepalive
reqadd X-Forwarded-Proto:\ http
redirect scheme https code 301 if !{ ssl_fc }
http-response set-header Strict-Transport-Security max-age=31536000;
#default_backend nc_cluster
frontend www-https
bind 0.0.0.0:443 ssl crt /etc/haproxy/certs/
reqadd X-Forwarded-Proto:\ https
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt-backend if letsencrypt-acl
use_backend nc_cluster if { ssl_fc_sni nc.problemdomain.at }
use_backend oo_cluster if { ssl_fc_sni oo.problemdomain.at }
use_backend seconddomain_cluster if { ssl_fc_sni www.seconddomain.co.at }
use_backend seconddomain_cluster if { ssl_fc_sni seconddomain.co.at }
use_backend thirddomain_cluster if { ssl_fc_sni www.thirddomain.co.at }
use_backend thirddomain_cluster if { ssl_fc_sni thirddomain.co.at }
backend nc_cluster
server node1 10.101.114.111:80 check
backend oo_cluster
server node1 10.101.114.91:80 check
backend seconddomain_cluster
server node1 10.10.10.1:80 check
backend thirddomain_cluster
server node1 10.10.10.2:80 check
backend letsencrypt-backend
server letsencrypt 127.0.0.1:54321
/etc/haproxy# ls -l
total 16
drw-r–r-- 2 root root 4096 Apr 16 13:26 certs
drwxr-xr-x 2 root root 4096 Dez 1 14:03 errors
-rw-r–r-- 1 root root 2632 Mai 4 19:53 haproxy.cfg
-rwxr-xr-x 1 root root 33 Dez 4 11:33 haproxy_stats.sh
/etc/haproxy/certs# ls -l
total 48
-rw-r–r-- 1 root root 5490 Mai 4 19:52 nc.problemdomain.at.pem
-rw-r–r-- 1 root root 5490 Mai 4 19:52 oo.problemdomain.at.pem
-rw-r–r-- 1 root root 5514 Mai 4 19:52 seconddomain.co.at.pem
-rw-r–r-- 1 root root 5518 Mai 4 19:52 thirddomain.co.at.pem
-rw-r–r-- 1 root root 5526 Mai 4 19:52 www.seconddomain.co.at.pem
-rw-r–r-- 1 root root 5530 Mai 4 19:52 www.thirddomain.co.at.pem
/etc/haproxy/certs# openssl x509 -in nc.problemdomain.at.pem -text -noout Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:4b:b5:fc:01:26:f0:1c:99:9f:1f:f7:6d:99:a3:cc:c7:e5
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
Validity
Not Before: May 4 10:35:15 2018 GMT
Not After : Aug 2 10:35:15 2018 GMT
Subject: CN=nc.problemdomain.at
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9a:3b:0d:f2:88:4b:d7:4e:95:a4:b8:eb:15:2b:
03:8b:62:12:b5:69:ee:7b:69:a7:f1:9a:8f:93:36:
61:2a:5c:37:43:1a:65:48:bb:09:8d:ef:60:68:23:
07:1c:49:14:10:04:72:d2:82:1a:dd:21:7b:ed:65:
87:44:03:3d:21:84:91:c0:19:6f:cd:23:ab:a5:95:
12:45:26:6b:6a:e8:a4:3d:9c:5f:1a:5c:c9:44:81:
a3:ce:76:33:fc:f6:d3:12:11:17:c1:7c:44:7c:60:
b9:ed:49:6e:c1:0c:f5:c9:e5:70:d8:88:26:f1:5d:
2f:be:eb:c6:f0:bc:aa:a6:1a:6c:90:5a:26:c8:c8:
b3:ca:4e:b7:15:bf:53:0c:d6:93:82:1b:25:2b:27:
cb:a9:83:73:af:30:a6:a7:95:25:26:8c:85:e5:ab:
b1:58:0d:ed:72:b4:89:c9:e8:34:f6:90:8b:b9:ca:
53:85:21:66:ff:fb:c0:8c:f0:da:57:24:9b:66:18:
b7:a1:87:9b:be:18:73:dd:e4:26:34:e6:77:bc:c9:
d2:9f:4a:0d:e4:c4:90:fd:a3:a7:cf:07:1c:f0:1c:
39:98:2d:2b:de:7d:d0:d1:74:3f:f2:03:81:f9:66:
96:d1:58:6d:b4:db:a9:32:c5:92:6a:2a:22:c9:48:
4f:f7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
63:8F:3B:20:18:D8:07:2A:CE:AA:D1:DD:0F:BC:3D:2C:C1:83:65:FF
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:nc.problemdomain.at
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1(0)
Log ID : DB:74:AF:EE:CB:29:EC:B1:FE:CA:3E:71:6D:2C:E5:B9:
AA:BB:36:F7:84:71:83:C7:5D:9D:4F:37:B6:1F:BF:64
Timestamp : May 4 11:35:15.142 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:81:E2:4F:09:71:2E:52:44:78:3C:BD:
70:84:F2:E4:3C:0F:65:91:DF:84:7A:FF:3D:56:AE:B8:
DE:75:70:95:7C:02:20:2F:EE:DD:86:9D:B1:86:73:5E:
43:59:B3:55:A0:E8:25:9D:8D:F3:6B:0B:18:ED:5C:92:
E5:65:3D:5B:31:1E:4B
Signed Certificate Timestamp:
Version : v1(0)
Log ID : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
Timestamp : May 4 11:35:15.162 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:D4:8A:D9:BF:02:82:5F:3B:93:77:E8:
8E:6C:96:40:38:E6:D2:F2:F0:E8:54:02:37:5B:AC:46:
03:B4:89:9F:EF:02:20:4B:1C:55:57:60:1C:9E:89:79:
DB:94:30:92:3B:37:11:9E:F2:1B:ED:89:6C:C7:BE:B9:
34:0C:47:75:5D:24:92
Signature Algorithm: sha256WithRSAEncryption
9a:2d:db:03:5d:08:90:c4:4a:b1:d5:0f:bd:8a:b9:ae:35:9f:
36:f7:d5:49:f4:3e:c7:34:6b:58:53:69:38:d9:55:9e:1a:f0:
d1:c4:ed:d9:dd:91:72:73:36:2a:72:a2:7c:d2:f0:76:50:72:
f1:e2:ec:94:74:e2:5e:ed:29:8a:f7:60:cc:84:7b:d1:12:09:
8f:d9:ec:3d:47:f0:79:32:43:20:9b:cd:ee:51:d0:3a:ca:fb:
f5:ae:ac:a4:9b:c7:51:e3:40:d6:ec:68:4e:f7:4b:61:af:ee:
83:0e:fa:27:56:3d:fc:4f:34:94:2e:9c:5b:0b:87:ec:38:15:
0f:dc:3a:1a:15:bf:2f:85:00:18:e2:3f:d5:c9:3a:7d:45:b6:
95:54:35:e6:fd:a7:58:31:75:f7:ba:6d:3d:b7:37:8a:70:9d:
dc:1a:b3:c1:54:85:19:b9:7e:89:e4:e1:b8:c9:38:42:c1:00:
e5:9f:65:05:2a:f5:03:a9:3a:c0:45:20:a0:85:b5:70:ac:6a:
36:41:91:92:55:86:6a:cd:89:66:a5:37:29:70:f6:0d:cb:4b:
1e:ff:32:d9:2f:e7:70:04:14:a2:7a:97:74:20:ac:32:fa:d6:
e7:4d:c3:a7:3a:c1:5f:02:5b:8f:a6:d7:9f:6e:d5:d4:af:b9:
ff:23:32:7d
/var/log/haproxy.log == empty
sudo haproxy -f /etc/haproxy/haproxy.cfg -c
Configuration file is valid
this is my actual config orig domains are veiled