Mario Alegre
5 years ago
3 changed files with 0 additions and 87 deletions
@ -1,87 +0,0 @@ |
|||||
# use dehydrated to automatically generate and renew Let's Encrypt certificates for HAproxy |
|
||||
|
|
||||
## Install |
|
||||
|
|
||||
install `curl`: |
|
||||
``` |
|
||||
apt install curl |
|
||||
``` |
|
||||
download the dehydrated script to `/usr/local/bin`: |
|
||||
``` |
|
||||
cd /usr/local/bin/ |
|
||||
wget https://raw.githubusercontent.com/dehydrated-io/dehydrated/master/dehydrated |
|
||||
chmod +x dehydrated |
|
||||
``` |
|
||||
|
|
||||
## Configure HAproxy HTTP |
|
||||
|
|
||||
we need to configure haproxy to reroute Let's Encrypt requests to the certbot server. The beginning of your web frontend should look like: |
|
||||
``` |
|
||||
frontend www |
|
||||
bind *:80 |
|
||||
option forwardfor |
|
||||
|
|
||||
# Reroute certbot requests to certbot |
|
||||
use_backend certbot if { path_beg /.well-known/acme-challenge/ } |
|
||||
|
|
||||
... |
|
||||
``` |
|
||||
and also add a backend: |
|
||||
``` |
|
||||
backend certbot |
|
||||
server certbot localhost:8888 |
|
||||
``` |
|
||||
|
|
||||
## Configure Certbot |
|
||||
|
|
||||
We also want to configure Certbot so we can easily use it for creating/renewing certificates for HAproxy. Edit the file `/etc/letsencrypt/cli.ini` and add the lines: |
|
||||
``` |
|
||||
standalone |
|
||||
# tls-sni challenge is deprecated |
|
||||
preferred-challenges = http |
|
||||
http-01-port = 8888 |
|
||||
deploy-hook = /etc/letsencrypt/deploy-hook.sh |
|
||||
``` |
|
||||
We also need to add the deploy hook script that we referenced in the config file, at `/etc/letsencrypt/deploy-hook.sh`. The contents of the script should be: |
|
||||
``` |
|
||||
#!/bin/sh |
|
||||
|
|
||||
mkdir -p /etc/haproxy/certs |
|
||||
base=$(basename $RENEWED_LINEAGE) |
|
||||
cat $RENEWED_LINEAGE/fullchain.pem $RENEWED_LINEAGE/privkey.pem > /etc/haproxy/certs/$base.pem |
|
||||
#etckeeper commit "got new Let's Encrypt certificate for $base" |
|
||||
service haproxy reload |
|
||||
``` |
|
||||
(Uncomment the `etckeeper` line if you are using etckeeper to store your configuration). And don't forget to make the script executable: |
|
||||
``` |
|
||||
chmod +x /etc/letsencrypt/deploy-hook.sh |
|
||||
``` |
|
||||
|
|
||||
With this configuration, you should be able to run certbot to obtain a certificate. The cron job that is automatically set up when you install certbot will also work correctly with this configuration. |
|
||||
|
|
||||
## Get Certificate |
|
||||
|
|
||||
Run Certbot to get a certificate: |
|
||||
``` |
|
||||
certbot certonly |
|
||||
``` |
|
||||
After successfully acquiring a certificate, the deploy hook will automatically put the combined certificate in `/etc/haproxy/certs/` for you. |
|
||||
|
|
||||
## Configure HAproxy HTTPs |
|
||||
|
|
||||
Now that you have HTTPs working, you can configure HAproxy for HTTPs. The beginning of your web frontend should now look like: |
|
||||
``` |
|
||||
frontend www |
|
||||
bind *:80 |
|
||||
bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1 |
|
||||
option forwardfor |
|
||||
http-request set-header X-Forwarded-Proto https if { ssl_fc } |
|
||||
|
|
||||
# Reroute letsencrypt requests to certbot |
|
||||
use_backend certbot if { path_beg /.well-known/acme-challenge/ } |
|
||||
|
|
||||
# Reroute HTTP to HTTPs |
|
||||
http-request redirect scheme https if !{ ssl_fc } |
|
||||
|
|
||||
... |
|
||||
``` |
|
||||
Loading…
Reference in new issue