Let's encrypt with haproxy
Install HAProxy:
Latest stable 1.6:
sudo add-apt-repository ppa:vbernat/haproxy-1.6
sudo apt-get update
sudo apt-get install haproxy
Haproxy plugin for webroot validation:
I used this haproxy plugin to be able to serve simple files so that I can use the "webroot" validation protocol of the letsencrypt client:
https://github.com/janeczku/haproxy-acme-validation-plugin
So I just download the .lua file into my /etc/haproxy/
:
sudo wget https://raw.githubusercontent.com/janeczku/haproxy-acme-validation-plugin/master/acme-http01-webroot.lua /etc/haproxy
then I add the following to my /etc/haproxy/haproxy.cfg
:
global
lua-load /etc/haproxy/acme-http01-webroot.lua
frontend http
acl url_acme_challenge path_beg /.well-known/acme-challenge/
http-request use-service lua.acme-http01 if METH_GET url_acme_challenge
Letsencrypt client:
https://github.com/letsencrypt/letsencrypt
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
Now I can run my letsencrypt command:
(during test add --test-cert --break-my-certs
)
sudo ./letsencrypt-auto certonly --text --webroot --webroot-path /var/lib/haproxy --renew-by-default --agree-tos --email hedefalk@gmail.com -d woodenstake.se -d jenkins.woodenstake.se -d jenkins-nas.woodenstake.se -d repo.woodenstake.se -d blog.woodenstake.se -d transmission.woodenstake.se -d uniplybeta.woodenstake.se -d crm.woodenstake.se -d docker.woodenstake.se
So this puts challenge response files in /var/lib/haproxy
that the lua-plugin then serves to the letsencrypt requests coming in, proving that I own the domains.
Concat the SAN cert:
sudo cat /etc/letsencrypt/live/repo.woodenstake.se/privkey.pem /etc/letsencrypt/live/repo.woodenstake.se/fullchain.pem | sudo tee /etc/letsencrypt/live/repo.woodenstake.se/haproxy.pem >/dev/null
and reload haproxy:
sudo service haproxy reload
Now all my address bars are green, yey!
Caveats:
-
check
(health check) on server fails for 403 if not logged in which marks server as down. Don't know if there's solution for this. Probably: -
https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#http-check expect
-
I can't seem to figure out why my SAN cert gets put into
repo.woodenstake.se
subfolder: https://github.com/letsencrypt/letsencrypt/issues/1946#issuecomment-167810408 -
Cannot use forwardfor globally since this will break: https://github.com/janeczku/haproxy-acme-validation-plugin/issues/1#issuecomment-165721178
-
I had to add extra clauses to my backend switches or they took prio over the lua-plugin: https://github.com/janeczku/haproxy-acme-validation-plugin/issues/2#issuecomment-167803265
TODO:
- cronjob to update my certs
For completeness, here's almost my entire haproxy.cfg at the point when I publish this:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
crt-base /etc/letsencrypt/live
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
lua-load /etc/haproxy/acme-http01-webroot.lua
defaults
log global
mode http
option httplog
timeout connect 5000
timeout client 50000
timeout server 50000
frontend http
mode http
bind *:80
option httplog
# Letsencrypt: https://github.com/janeczku/haproxy-acme-validation-plugin
acl url_acme_challenge path_beg /.well-known/acme-challenge/
http-request use-service lua.acme-http01 if METH_GET url_acme_challenge
redirect scheme https code 301 if { hdr(Host) -i repo.woodenstake.se } !{ ssl_fc }
redirect scheme https code 301 if { hdr(Host) -i jenkins.woodenstake.se } !{ ssl_fc }
acl host_blog hdr(host) -i blog.woodenstake.se
use_backend ghost if host_blog !url_acme_challenge
frontend https
mode http
bind *:443 ssl crt /etc/letsencrypt/live/repo.woodenstake.se/haproxy.pem
# Define hosts based on domain names
acl host_jenkins hdr(host) -i jenkins.woodenstake.se
acl host_repo hdr(host) -i repo.woodenstake.se
acl host_jenkins_nas hdr(host) -i jenkins-nas.woodenstake.se
acl host_transmission hdr(host) -i transmission.woodenstake.se
acl host_blog hdr(host) -i blog.woodenstake.se
acl host_docker hdr(host) -i docker.woodenstake.se
use_backend jenkins if host_jenkins
use_backend nexus if host_repo
use_backend jenkins_nas if host_jenkins_nas
use_backend transmission_nas if host_transmission
use_backend ghost if host_blog
use_backend docker if host_docker
backend jenkins
mode http
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server jenkins_backend 127.0.0.1:8080
backend nexus
mode http
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server nexus_backend 127.0.0.1:8081
backend jenkins_nas
mode http
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server jenkins_nas_backend 10.0.1.30
backend transmission_nas
mode http
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server jenkins_nas_backend 10.0.1.30:8181
backend ghost
mode http
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server ghost_docker 127.0.0.1:2368
backend docker
mode http
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server docker_registry 127.0.0.1:5000
Update 20170406:
Installed certbot and now:
sudo certbot certonly --text --webroot --webroot-path /var/lib/haproxy --agree-tos --email hedefalk@gmail.com -d woodenstake.se -d jenkins.woodenstake.se -d jenkins-nas.woodenstake.se -d repo.woodenstake.se -d blog.woodenstake.se -d transmission.woodenstake.se -d uniplybeta.woodenstake.se -d crm.woodenstake.se -d docker.woodenstake.se -d drone.github.woodenstake.se -d drone.gitlab.woodenstake.se
sudo cat /etc/letsencrypt/live/transmission.woodenstake.se/privkey.pem /etc/letsencrypt/live/transmission.woodenstake.se/fullchain.pem | sudo tee /etc/letsencrypt/live/woodenstake.se/haproxy.pem > /dev/null
sudo haproxy reload
to renew.