Mario Alegre
5 years ago
3 changed files with 0 additions and 87 deletions
@ -1,87 +0,0 @@ |
|||
# use dehydrated to automatically generate and renew Let's Encrypt certificates for HAproxy |
|||
|
|||
## Install |
|||
|
|||
install `curl`: |
|||
``` |
|||
apt install curl |
|||
``` |
|||
download the dehydrated script to `/usr/local/bin`: |
|||
``` |
|||
cd /usr/local/bin/ |
|||
wget https://raw.githubusercontent.com/dehydrated-io/dehydrated/master/dehydrated |
|||
chmod +x dehydrated |
|||
``` |
|||
|
|||
## Configure HAproxy HTTP |
|||
|
|||
we need to configure haproxy to reroute Let's Encrypt requests to the certbot server. The beginning of your web frontend should look like: |
|||
``` |
|||
frontend www |
|||
bind *:80 |
|||
option forwardfor |
|||
|
|||
# Reroute certbot requests to certbot |
|||
use_backend certbot if { path_beg /.well-known/acme-challenge/ } |
|||
|
|||
... |
|||
``` |
|||
and also add a backend: |
|||
``` |
|||
backend certbot |
|||
server certbot localhost:8888 |
|||
``` |
|||
|
|||
## Configure Certbot |
|||
|
|||
We also want to configure Certbot so we can easily use it for creating/renewing certificates for HAproxy. Edit the file `/etc/letsencrypt/cli.ini` and add the lines: |
|||
``` |
|||
standalone |
|||
# tls-sni challenge is deprecated |
|||
preferred-challenges = http |
|||
http-01-port = 8888 |
|||
deploy-hook = /etc/letsencrypt/deploy-hook.sh |
|||
``` |
|||
We also need to add the deploy hook script that we referenced in the config file, at `/etc/letsencrypt/deploy-hook.sh`. The contents of the script should be: |
|||
``` |
|||
#!/bin/sh |
|||
|
|||
mkdir -p /etc/haproxy/certs |
|||
base=$(basename $RENEWED_LINEAGE) |
|||
cat $RENEWED_LINEAGE/fullchain.pem $RENEWED_LINEAGE/privkey.pem > /etc/haproxy/certs/$base.pem |
|||
#etckeeper commit "got new Let's Encrypt certificate for $base" |
|||
service haproxy reload |
|||
``` |
|||
(Uncomment the `etckeeper` line if you are using etckeeper to store your configuration). And don't forget to make the script executable: |
|||
``` |
|||
chmod +x /etc/letsencrypt/deploy-hook.sh |
|||
``` |
|||
|
|||
With this configuration, you should be able to run certbot to obtain a certificate. The cron job that is automatically set up when you install certbot will also work correctly with this configuration. |
|||
|
|||
## Get Certificate |
|||
|
|||
Run Certbot to get a certificate: |
|||
``` |
|||
certbot certonly |
|||
``` |
|||
After successfully acquiring a certificate, the deploy hook will automatically put the combined certificate in `/etc/haproxy/certs/` for you. |
|||
|
|||
## Configure HAproxy HTTPs |
|||
|
|||
Now that you have HTTPs working, you can configure HAproxy for HTTPs. The beginning of your web frontend should now look like: |
|||
``` |
|||
frontend www |
|||
bind *:80 |
|||
bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1 |
|||
option forwardfor |
|||
http-request set-header X-Forwarded-Proto https if { ssl_fc } |
|||
|
|||
# Reroute letsencrypt requests to certbot |
|||
use_backend certbot if { path_beg /.well-known/acme-challenge/ } |
|||
|
|||
# Reroute HTTP to HTTPs |
|||
http-request redirect scheme https if !{ ssl_fc } |
|||
|
|||
... |
|||
``` |
|||
Loading…
Reference in new issue