According to the installation instructions, I should add a cron job as follows:

sudo crontab -e
5 8 * * 6 /usr/bin/cert-renewal-haproxy.sh

The problem I see is /etc/cron.d/certbot (it is installed when installing certbot) renews the certs but will not regenerate the haproxy.pem files as required. If /etc/cron.d/certbot runs before cert-renewal-haproxy.sh, then the certs will already be renewed, and cert-renewal-haproxy.sh will fail to regenerate the haproxy.pem files.

I think that the install instructions should say that /etc/cron.d/certbot must be disabled if it has been installed.

Another minor issue is that "letsencrypt-auto" no loner exists, it should be renamed to "cerbot".

Could you add a license please? GPL-2 maybe?

Hi,

I am using the latest letsencrypt + validation plugin on haproxy 1.6.4 and Ubuntu 14.04 LTS, but the LUA script cannot find files, even if I manually put them there.

for example, if I put the file abcd in /mnt/ssl/letsencrypt/.well-known/acme-challenge/ (which is my folder), and access the url in my browser, I get the following error

Apr 18 20:44:17 haproxy haproxy[57762]: [acme] http-01 token not found: abcd (client-ip: .)

I added a debug log to the script and let it print the pathname:

Apr 18 20:54:30 haproxy haproxy[57762]: [acme] getting token from: /mnt/ssl/letsencrypt/.well-known/acme-challenge/abcd

The folder /mnt/ssl/ is fully accessible r+w for all users, it is a network drive though (I use multiple haproxy instances and want them all to access the same folder).

ls -al /mnt/ssl/letsencrypt/.well-known/acme-challenge/abcd
-rwxrwxrwx 1 root root 11 Apr 18 20:38 /mnt/ssl/letsencrypt/.well-known/acme-challenge/abcd

Any idea what it could be?

Is it possible to have several different SSL certificates (SNI) for dfifferent hosts (foo.com, bar.com) that have been generated by letsencrypt, and provide automatically the good SSL certificate in haproxy ? If yes, could you provide an example ?

Hi,
can I use this validation plugin if Certbot is running on a server "behind" HAProxy?
If yes, what is the relevant configuration considering

• SSL termination on HAProxy
• Any communication on port 80 is redirected to port 443

THX

I've installed the validation plugin by following the procedure. Initially the script worked but after a while it didn't.

Environment:

• Installed 2 Haproxy servers with a floating IP in front
• HA-Proxy version 1.6.3 2015/12/25
• Operating system: Ubuntu Xenial
• 2 NGINX back-end web servers

Steps to reproduce:

• Haproxy runs in chroot mode
• Configured the global and front-end sections according to the instructions
• Restarted Haproxy
• Haproxy seems to load the lua plugin: haproxy1 haproxy-systemd-wrapper[432]: [info] 126/114103 (433) : [acme] http-01 plugin v0.1.1
• If I generate a certificate it does create the tokens in the folder: /var/lib/haproxy/.well-known/acme-challenge/ on the Haproxy server
• I ran the letsencrypt/certbot client to generate new certificates, with the results in de log dump below:
• It seems that the authorization request is directly forwarded from the Haproxy system to the back-end servers and that the lua doesn't capture and process these requests. On the back-end webservers I see incoming requests from Let's Encrypt looking for the http://domainx.com/.well-known/acme-challenge/nYD1_fbMcn5Op0XoWI5XJsIQsSgAJ-SfieuLW5hNf3U

Start log<<
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domainx.net
http-01 challenge for www.domainx.net
http-01 challenge for ads.domainx.net
http-01 challenge for domainx.com
Using the webroot path /var/lib/haproxy for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. domainx.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domainx.com/.well-known/acme-challenge/nYD1_fbMcn5Op0XoWI5XJsIQsSgAJ-SfieuLW5hNf3U: "

404 Not Found

body {
background-color: #fff;
margin: 40px;
font-fa"

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: domainx.com
  Type: unauthorized
  Detail: Invalid response from
  http://domainx.com/.well-known/acme-challenge/nYD1_fbMcn5Op0XoWI5XJsIQsSgAJ-SfieuLW5hNf3U:
  "

  <title>404 Not Found</title>

  404 Not Found

  ---

  "

  Domain: www.domainx.net
  Type: unauthorized
  Detail: Invalid response from
  http://www.domainx.net/.well-known/acme-challenge/AN9zePHcugsfYs6hAbia2jnDkZYqLnyUvWxkLHhXH0g:
  "

  <title>404 Page Not Found</title> <style type="text/css">

  body {
  background-color: #fff;
  margin: 40px;
  font-fa"

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A record(s) for that domain
  contain(s) the right IP address.

End log<<

Can I use this plugin if we are serving many domains from one haproxy-instance?

Currently we are serving serts using the crt-list mechanism, which lists domains and their certs.

We also have multiple front ends (different ip-addresses).

Hi,

I have configured HAProxy like this:
frontend http bind *:80 mode http # Set X-SSL in case of ssl_fc http-request set-header X-SSL %[ssl_fc] # Adds http header to end of the HTTP request reqadd X-Forwarded-Proto:\ http # Test URI to see if its a letsencrypt request acl url_acme_http01 path_beg /.well-known/acme-challenge/ http-request use-service lua.acme-http01 if METH_GET url_acme_http01 default_backend default

However, I cannot access any service on port 80 because it is entended that https will be enforced.
Instead I get a 503 error.

My previous configuration was different:
frontend public # Listen on port 80 bind *:80 # Set X-SSL in case of ssl_fc http-request set-header X-SSL %[ssl_fc] # Adds http header to end of the HTTP request reqadd X-Forwarded-Proto:\ http #default_backend default

Hi,
Many thanks for your work.

While using the cert-renewal-haproxy.sh with cron as root, I experienced an issue with dependancies the certbot-auto bootstraper was trying to update, using interactive mode.

Cerbot-auto bootstrap was calling apt-get install without the default yes flag, thus the script was aborting, as apt-get was not receiving y to continue.

Using the --non-interactive flag in the issuecert shortcut function allows to force the bootstraper using default yes flag (-y) with apt-get.

Thanks for this it's been working great for past couple of years but I'm wanting to get a wildcard certificate and letsencrypt FAQ says that requires ACME v2 api. This tool uses v1 api.

Are there plans to upgrade this tool to v2 or should I switch to https://www.haproxy.com/blog/lets-encrypt-acme2-for-haproxy/ ?

Whenever I attempt to get a new certificate, my haproxy service crashes with a segmentation fault.

00000266:production_webserver_frontend.accept(0007)=0010 from [66.133.109.36:49292]
00000266:production_webserver_frontend.clireq[0010:ffffffff]: GET /.well-known/acme-challenge/token HTTP/1.1
00000266:production_webserver_frontend.clihdr[0010:ffffffff]: Host: site.example.com
00000266:production_webserver_frontend.clihdr[0010:ffffffff]: User-Agent: Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)
00000266:production_webserver_frontend.clihdr[0010:ffffffff]: Accept: /
00000266:production_webserver_frontend.clihdr[0010:ffffffff]: Accept-Encoding: gzip
00000266:production_webserver_frontend.clihdr[0010:ffffffff]: Connection: close
[info] 314/131321 (25402) : [acme] served http-01 token: token (client-ip: 66.133.109.36)
00000266:production_sites_nosni_be.srvrep[0010:ffffffff]: HTTP/1.1 200 OK
00000266:production_sites_nosni_be.srvhdr[0010:ffffffff]: Content-Type: text/plain
00000266:production_sites_nosni_be.srvhdr[0010:ffffffff]: Content-Length: 88
00000266:production_sites_nosni_be.srvhdr[0010:ffffffff]: Server: haproxy/acme-http01-authenticator
00000266:production_sites_nosni_be.srvhdr[0010:ffffffff]: Connection: close
Segmentation fault

IN the lua script, there are a few undefined variables.

_strip and auth are missing local

After renewing the certificate, the script fails to create happroxy.pem. This is because the tee is invoked with sudo which causes the command to fail. It's safe to remove sudo as the entire script will be invoked with sudo anyway.

$ git diff
diff --git a/cert-renewal-haproxy.sh b/cert-renewal-haproxy.sh
index 1beb462..4712a23 100755
--- a/cert-renewal-haproxy.sh
+++ b/cert-renewal-haproxy.sh
@@ -90,7 +90,7 @@ done < <(find /etc/letsencrypt/live -name cert.pem -print0)

 # create haproxy.pem file(s)
 for domain in ${renewed_certs[@]}; do
-  cat ${le_cert_root}/${domain}/privkey.pem ${le_cert_root}/${domain}/fullchain.pem | sudo tee ${le_cert_root}/${domain}/haproxy.pem >/dev/null
+  cat ${le_cert_root}/${domain}/privkey.pem ${le_cert_root}/${domain}/fullchain.pem | tee ${le_cert_root}/${domain}/haproxy.pem >/dev/null
   if [ $? -ne 0 ]; then
     logger_error "failed to create haproxy.pem file!"
     exit 1

I'm back at trying to set up letsencrypt how I want it. The issue I'm having now is that for the only site I'm allowing http I'm using "use_backend" on the same frontend as the plugin is used. But that seems to interfer with this plugin and gets prio. So for the below http config, there's no problem for the redirected subdomains, but blog.woodenstake.se fails:

frontend http
    mode http
    bind *:80
    option httplog

    stats enable
    stats hide-version
    stats realm Haproxy\ Statistics
    stats uri /haproxy
    stats auth viktor:8203101418

    # Letsencrypt: https://github.com/janeczku/haproxy-acme-validation-plugin
    acl url_acme_http01 path_beg /.well-known/acme-challenge/
    http-request use-service lua.acme-http01 if METH_GET url_acme_http01

    redirect scheme https code 301 if { hdr(Host) -i repo.woodenstake.se } !{ ssl_fc }
    redirect scheme https code 301 if { hdr(Host) -i jenkins.woodenstake.se } !{ ssl_fc }

   use_backend ghost if { hdr(host) -i blog.woodenstake.se }

Running with virtualenv: /home/viktor/.local/share/letsencrypt/bin/letsencrypt certonly --text --webroot --webroot-path /var/lib/haproxy --renew-by-default --agree-tos --email [email protected] -d jenkins.woodenstake.se -d jenkins-nas.woodenstake.se -d repo.woodenstake.se -d blog.woodenstake.se -d transmission.woodenstake.se -d uniplybeta.woodenstake.se -d crm.woodenstake.se --test-cert --break-my-certs
Failed authorization procedure. blog.woodenstake.se (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://blog.woodenstake.se/.well-known/acme-challenge/Y4CpPlqq14aONp7Wr6nXcHR2ZGa_3dEtWf49GEzdank [89.253.88.3]: 400

Any idea?

I'm currently running a 2 node (chrooted) Haproxy cluster behind an IP load balancer. I was able to successfully validate certificates on one node without the IP load balancer. But now the request is redirected to one of the two Haproxy nodes randomly. Therefore I've created a shared filesystem between the 2 Haproxy nodes which is mounted to the /var/lib/haproxy as .well-known. So on each server there is a shared folder /var/lib/haproxy/.well-known/ (permissions: user root:root 755)

If I trigger the certbot validation process it does create the respective keyfiles on the shared file system in the folder /var/lib/haproxy/.well-known/acme-challenge/

But somehow the Haproxy nodes aren't picking up the requests and the validation fails.
A trail of the Haproxy log:

Oct 20 15:18:36 haproxy1 haproxy[396]: 10.108.48.215:11621 [20/Oct/2017:15:18:36.724] www-http-sites webx/ 0/-1/-1/-1/0 302 127 - - LR-- 0/0/0/0/3 0/0 "GET /wp-login.php HTTP/1.0"
Oct 20 15:19:06 haproxy1 haproxy[396]: 10.108.33.168:22165 [20/Oct/2017:15:19:06.473] www-http-sites webx/<lua.acme-http01> 0/-1/-1/-1/0 302 193 - - LR-- 0/0/0/0/3 0/0 "GET /.well-known/acme-challenge/2oZ88XdUr9BGdhhNCsFFSDpAzokAOIMb3et6hPAh8bU HTTP/1.1"
Oct 20 15:19:06 haproxy1 haproxy[396]: [acme] http-01 token not found: 2oZ88XdUr9BGdhhNCsFFSDpAzokAOIMb3et6hPAh8bU (client-ip: 10.108.33.251)
Oct 20 15:19:06 haproxy1 haproxy-systemd-wrapper[361]: haproxy-systemd-wrapper: exit, haproxy RC=0
Oct 20 15:19:06 haproxy1 haproxy-systemd-wrapper[530]: haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds
Oct 20 15:19:06 haproxy1 haproxy[531]: [acme] http-01 plugin v0.1.1
Oct 20 15:19:06 haproxy1 haproxy-systemd-wrapper[530]: [info] 292/151906 (531) : [acme] http-01 plugin v0.1.1
Oct 20 15:19:06 haproxy1 haproxy[531]: Proxy www-http-sites started.
Oct 20 15:19:06 haproxy1 haproxy[531]: Proxy www-http-sites started.
Oct 20 15:19:06 haproxy1 haproxy[531]: Proxy https started.
Oct 20 15:19:06 haproxy1 haproxy[531]: Proxy https started.
Oct 20 15:19:06 haproxy1 haproxy[531]: Proxy webx started.
Oct 20 15:19:06 haproxy1 haproxy[396]: [acme] http-01 token not found: 2oZ88XdUr9BGdhhNCsFFSDpAzokAOIMb3et6hPAh8bU (client-ip: 10.108.33.251)
Oct 20 15:19:07 haproxy1 haproxy[532]: 10.108.33.168:28968 [20/Oct/2017:15:19:07.020] www-http-sites webx/<lua.acme-http01> 0/-1/-1/-1/0 302 193 - - LR-- 0/0/0/0/3 0/0 "GET /.well-known/acme-challenge/2oZ88XdUr9BGdhhNCsFFSDpAzokAOIMb3et6hPAh8bU HTTP/1.1"
Oct 20 15:19:07 haproxy1 haproxy[532]: 10.108.48.215:7949 [20/Oct/2017:15:19:07.023] www-http-sites webx/<lua.acme-http01> 0/-1/-1/-1/0 302 193 - - LR-- 0/0/0/0/3 0/0 "GET /.well-known/acme-challenge/gry6E4h4GDid-8XGkKkhVWxBYVZf0kOrWXnDkTrLZCY HTTP/1.1"
Oct 20 15:19:07 haproxy1 haproxy[532]: 10.108.48.215:13721 [20/Oct/2017:15:19:07.042] www-http-sites webx/<lua.acme-http01> 0/-1/-1/-1/0 302 193 - - LR-- 0/0/0/0/3 0/0 "GET /.well-known/acme-challenge/gry6E4h4GDid-8XGkKkhVWxBYVZf0kOrWXnDkTrLZCY HTTP/1.1"
Oct 20 15:19:07 haproxy1 haproxy[532]: 10.108.48.215:15886 [20/Oct/2017:15:19:07.048] www-http-sites webx/<lua.acme-http01> 0/-1/-1/-1/0 302 193 - - LR-- 0/0/0/0/3 0/0 "GET /.well-known/acme-challenge/gry6E4h4GDid-8XGkKkhVWxBYVZf0kOrWXnDkTrLZCY HTTP/1.1"
Oct 20 15:19:07 haproxy1 haproxy[532]: 10.108.48.215:12860 [20/Oct/2017:15:19:07.050] www-http-sites webx/<lua.acme-http01> 0/-1/-1/-1/0 302 197 - - LR-- 0/0/0/0/3 0/0 "GET /.well-known/acme-challenge/uSbmjoEqwSo0jBybVpFZBmUCibiJnMt21oHrJ3Icn3w HTTP/1.1"
Oct 20 15:19:07 haproxy1 haproxy[532]: 10.108.33.168:28268 [20/Oct/2017:15:19:07.197] www-http-sites webx/<lua.acme-http01> 0/-1/-1/-1/0 302 197 - - LR-- 0/0/0/0/3 0/0 "GET /.well-known/acme-challenge/uSbmjoEqwSo0jBybVpFZBmUCibiJnMt21oHrJ3Icn3w HTTP/1.1"
Oct 20 15:19:07 haproxy1 haproxy[532]: 10.108.48.215:12750 [20/Oct/2017:15:19:07.248] www-http-sites webx/<lua.acme-http01> 0/-1/-1/-1/0 302 197 - - LR-- 0/0/0/0/3 0/0 "GET /.well-known/acme-challenge/uSbmjoEqwSo0jBybVpFZBmUCibiJnMt21oHrJ3Icn3w HTTP/1.1"
Oct 20 15:19:07 haproxy1 haproxy[532]: [acme] http-01 token not found: gry6E4h4GDid-8XGkKkhVWxBYVZf0kOrWXnDkTrLZCY (client-ip: 10.108.33.251)

Does anyone have a suggestion how to fix this? Or have a good suggestion on how to setup the ACME lua in a clustered Haproxy with IP load balancer environment?

Awesome plugin! I've been googling crazy on how to setup letsencypt with my haproxy setup serving multiple sites and this seems to be just what I need.

I'm having problems though:

I have made the changes to haproxy.cfg as per your instructions.

I run the following:

sudo ./letsencrypt-auto certonly --text --webroot --webroot-path /var/lib/haproxy -d jenkins.woodenstake.se --renew-by-default --agree-tos --email [email protected]

And while it's running, I can ll to see that there is a file appearing briefly where it should:

viktor@i7:/var/lib/haproxy/.well-known/acme-challenge$ ll
total 12
drwxr-xr-x 2 root root 4096 Dec 17 15:59 ./
drwxr-xr-x 3 root root 4096 Dec 17 15:47 ../
-rw-r--r-- 1 root root   87 Dec 17 15:59 m0gfYeWQFd-v93rDc0BiVcvvNDZqcvrCpdhcyAB8soY

However, the LE client logs a failure:

Running with virtualenv: /home/viktor/.local/share/letsencrypt/bin/letsencrypt certonly --text --webroot --webroot-path /var/lib/haproxy -d jenkins.woodenstake.se --renew-by-default --agree-tos --email [email protected]
Failed authorization procedure. jenkins.woodenstake.se (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://jenkins.woodenstake.se/.well-known/acme-challenge/ooC51w9ZEvor1ebbHb1E-iPdQuFJwV7rdOjCL2CHH8I [89.253.88.3]: 400

IMPORTANT NOTES:
 - The following 'urn:acme:error:unauthorized' errors were reported by
   the server:

   Domains: jenkins.woodenstake.se
   Error: The client lacks sufficient authorization

If I look at haproxy.log I see:

Dec 17 16:06:39 i7 haproxy[21291]: [acme] served http-01 token: ooC51w9ZEvor1ebbHb1E-iPdQuFJwV7rdOjCL2CHH8I (client-ip: 66.133.109.36)
Dec 17 16:06:39 i7 haproxy[21291]: 66.133.109.36:37618 [17/Dec/2015:16:06:39.508] http http/<lua.acme-http01> 2/0/0/-1/2 502 608 - - PR-- 0/0/0/0/0 0/0 "GET /.well-known/acme-challenge/ooC51w9ZEvor1ebbHb1E-iPdQuFJwV7rdOjCL2CHH8I HTTP/1.1"

502 seems to mean can't serve the file? (the file names differ here just because of different test runs, but they are of course the same)

Any idea on what could be wrong? Permissions on the file to serve maybe?
Edit: nah, seems to be readable all the way up.

Thanks!

Hello @janeczku ,

My infra has 2 haproxy servers, and for each domain I want to apply SSL, I setup the DNS with two A domains to the haproxy servers ips (with keepalived and auto DNS update if one load balancer goes down).

Could you advise on how to use your plugin with that setup?

I have one letsencrypt docker container that I can run on any haproxy server and that can either add/renew certificate. Shoud I:

• run the container to add certificate on one haproxy server then sync the certificate to the other server
  or
• don't use your plugin but instead use a setup like here https://github.com/nmarus/docker-haproxy-certbot where I can set as letsencrypt_http backend only one server so all haproxy servers redirect acme challenge request to a centralized place

Thanks in advance and for providing such a great plugin!