0

How can i use Lets encrypt cert manger with Ha-proxy loadbalancer?I need to implement custom domain feature service on my SaaS application.Everything working fine except the SSL. How can i implement?Using Haproxy as a Loadbalancer.

SRN
  • 11
  • 4

2 Answers2

0

Here is a possible solution. The easier in my opinion. It uses Haproxy Community and Certbot client.

  1. Install Certbot client on a separated server and develop a REST API to interact with the client. Here you will be able to integrate your application with Certbot to generate the certificates.

  2. Create a directory on HAproxy server to store the certificates. Install NFS on the server and mount this directory on Certbot server. When generating certs with Certbot, deploy to this mount point.

  3. Create a deployment script for Certbot so it reloads Haproxy service when a new cert is deployed.

  4. Schedule a task on Certbot server so it runs a renewal process once a day.

If you don't like the Certbot client, you can develop a client yourself. I am developing one right now in Scala to integrate with my e-commerce platform, it's not that hard.

Andre Fagundes
  • 131
  • 2
  • 8
  • its working when i use test.com and www.test.com.But when i access www.test.com as www.example.com by adding CNAME, Getting SSL issue.In my haproxy have acl host_star hdr_end(host) -i .test.com. if i use CNAME,i need to add acl like acl host_star hdr_end(host) -i .example.com to verfify DNS when create ssl with letsencrypt.Each cnew custom domain,i need to update the acl on haproxy to create ssl.How can i solve it? – SRN Jan 13 '20 at 12:45
  • All domain names must be included in the certificate as subject alternative names. – Andre Fagundes Jan 13 '20 at 13:20
  • Fagunde Can i create multiple ssl without configure multiple server name on haproxy?Otherwise i need to add each domain name on haproxy config file before create free ssl. – SRN Jan 14 '20 at 09:17
  • Not sure if I understood your question, but if you have multiple certificate files, you can put them in a single directory. Each cert file name must contain the domain name. Then you can configure haproxy to read the certs from that directory. If this is what you are looking for, please let me know, I can provide you a sample config file. – Andre Fagundes Jan 14 '20 at 20:46
  • **bold** frontend https-in: bind *:443 ssl crt-list /etc/ssl/private/crt-list.txt **bold** like this i have done. But facing issue when i create multiple ssl.For example if i create ssl on nginx.i need configure the same domain in virtualhost.SAme as in haproxy i need to configure the particular domain name on haproxy config.Otherwise ssl didnt create.How can i solve this? – SRN Jan 15 '20 at 04:59
0

tried to define the steps. Reduced from a larger script , if you have an error please write here to fix this.

Prerequisites :

  1. haproxy installed , for example here: ip is 200.200.200.200
  2. domain dns aquiered and directed to haproxy , for example here: test.com
  3. http is working , if this is working then the whole web chain is working
  4. have letsencrypt installed and with account
  5. possible to stop haproxy and have the site down

Steps:

  1. clean up old folders in /etc/letsencrypt that are with test.com rm -rf *test.com*

  2. stop haproxy

  3. run command :

    certbot certonly --standalone --preferred-challenges http --http-01-port 80 -d test.com

    certbot certonly --standalone --preferred-challenges http --http-01-port 80 -d www.test.com

  4. check if all ok

    root@200.200.200.200:/etc/letsencrypt/renewal# cat www.test.com.conf

should be:

#renew_before_expiry = 30 days
version = 0.22.2
archive_dir = /etc/letsencrypt/archive/www.test.com
cert = /etc/letsencrypt/live/www.test.com/cert.pem
privkey = /etc/letsencrypt/live/www.test.com/privkey.pem
chain = /etc/letsencrypt/live/www.test.com/chain.pem
fullchain = /etc/letsencrypt/live/www.test.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
http01_port = 80
installer = None
pref_challs = http-01,
account = YOUR_ACCOUNT
authenticator = standalone

  1. create the folders /etc/letsencrypt/live/www.test.com and etc/letsencrypt/live/test.com

  2. create the link files to the archive files

ln -s ../../archive/test.com/cert1.pem cert.pem
ln -s ../../archive/test.com/chain1.pem chain.pem
ln -s ../../archive/test.com/fullchain1.pem fullchain.pem
ln -s ../../archive/test.com/privkey1.pem privatekey.pem
  1. copy the certificate to haproxy cat fullchain.pem privatekey.pem > /etc/haproxy/ssl/test.com-fullchain.pem

the same for www

  1. add in haproxy a ssl frontend
frontend test_com_ssl
  bind *:443 ssl crt /etc/haproxy/ssl/ ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

  default_backend test_com

the backend can be the same as for http frontend

  1. restart haproxy , check if the certificate is active

To Check to see the expiry date of the certificate: Type

openssl x509 -enddate -noout -in test.com-fullchain.pem

TO DO: Not covered how to renew the script ,hope to do this in the future

detzu
  • 701
  • 6
  • 12
  • its working when i use test.com and **www.test.com**.But when i access **www.test.com** as **www.example.com** by adding CNAME, Getting SSL issue.In my haproxy have **acl host_star hdr_end(host) -i .test.com**. if i use CNAME,i need to add acl like **acl host_star hdr_end(host) -i .example.com** to verfify DNS when create ssl with letsencrypt – SRN Jan 13 '20 at 12:38
  • ssl can work only with www.test.com , no chance with www.example.com . You need to run all the steps for www.example.com every site has his own certificate, there are really special certificates covering multiple sites but not from letsencrypt. Happy I helped. Please mark the answer as the response – detzu Jan 18 '20 at 04:25