Hi all,
I inherited infrastructure with HAProxy and my domain cert is due for renewal.
Certbot renew is failing so I did some digging and realized HAProxy SSL slightly different.
Below is message I’m getting after running ‘certbot renew’:
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (www.mydomain.com) from /etc/letsencrypt/renewal/www..mydomain.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www..mydomain.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.k.mydomain.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Here’s extract from my config file:
frontend http-in
bind *:80
#add support for ssl
bind *:443 ssl crt /etc/ssl/certs/mycert.pem
mode http
option httpclose
option forwardfor
option http-server-close
acl url_backend path_sub -i admin /api/ admin_indexers /key/
acl url_backend path_beg -i /.well-known /api.php /blog/
acl url_forb path_reg -i ^/marketplace/?$ ^/marketplace/seller/?$ ^/marketplace/seller/profile/?$ ^/marketplace/seller/profile/shop/?$
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
block if url_forb
use_backend web-backend if url_backend
use_backend letsencrypt-backend if letsencrypt-acl
default_backend web-servers
backend web-backend
mode http
reqadd X-Forwarded-Proto:\ https
balance roundrobin
#enable 302 redirect http -> https
redirect scheme https if !{ ssl_fc }
http-request redirect prefix https://%[hdr(host),regsub(^www\.,,i)] code 301 if { hdr_beg(host) -i www. }
#to web-backend
server web 192.168.144.185:80 check
backend web-servers
mode http
reqadd X-Forwarded-Proto:\ https
balance roundrobin
#enable 302 redirect http -> https
redirect scheme https if !{ ssl_fc }
http-request redirect prefix https://%[hdr(host),regsub(^www\.,,i)] code 301 if { hdr_beg(host) -i www. }
#to web-backend
server web 192.168.144.185:80 check
#Varnish
# server varnish 127.0.0.1:6081 check
backend letsencrypt-backend
server letsencrypt 127.0.0.1:54321
I can see letsencrypt server listens on 54321 but this does not tell me much tbh.
Would I need to call this server during SSL renewal? If so, how would I go about it?
Many thanks!