Unable to renew SSL certificates with servers using SSL passthrough

I am new to HAProxy. Currently, I have two different web servers, each with their own subdomain, behind my HAProxy setup. In order for each of these web servers to initially get their own SSL certificate, I had to port forward 443 and 80 from the router to each server individually and use certbot. Then I activated HAProxy & forwarded 80 & 443 from router to HAProxy.


  • I can successfully access either web server on port 80, which then redirects to 443
  • I can successfully access either web server on port 443 and I see that they both register as having valid Let’s Encrypt cert
  • Certbot fails to renew SSL certs on either server

Here is my haproxy.conf:
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
mode tcp
log global
option tcplog
option dontlognull
option http-server-close
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
frontend main
bind :443
mode tcp
tcp-request inspect-delay 10s
# block annoying worms that fill the logs…
acl forbidden_uris url_reg -i .
acl forbidden_uris url_sub -i %00 <script xmlrpc.php
acl forbidden_uris path_end -i /root.exe /cmd.exe /default.ida /awstats.pl .asp .dll

tcp-request content accept if { req_ssl_hello_type 1 }
use_backend nextcloud if { req_ssl_sni -m end nextcloud.domain.com }
use_backend chat if { req_ssl_sni -m end chat.domain.com }

default_backend nextcloud

frontend port80-redirect
bind *:80
mode http
redirect scheme https

backend chat
mode tcp
server chat check

backend nextcloud
mode tcp
server nextcloud check

Does anyone have any ideas on what I change to get these servers’ certbot to successfully renew the SSL certs?

I worked around the issue I was having by using a DNS provider with an API supported by acme.sh and it’s all working. Not sure how to mark this as solved.