# use Certbot to automatically generate and renew Let's Encrypt certificates for HAproxy ## Install install haproxy & certbot: ``` apt install haproxy certbot ``` ## configure haproxy we need to configure haproxy to reroute Let's Encrypt requests to the certbot server. Add to your web frontend the directive: ``` frontend www bind *:80 ... # Reroute certbot requests to certbot use_backend certbot if { path_beg /.well-known/acme-challenge/ } ``` and also add a backend: ``` backend certbot mode http server certbot-1 localhost:${port:?} ``` and then add an update script to `/usr/local/admin/bin/certbot-haproxy`: ``` #!/bin/bash create() { certbot certonly --standalone -d $1 --non-interactive --agree-tos --email $email --http-01-port=$port } renew() { certbot renew --tls-sni-01-port=$port } concat() { # Only do the concat if the live cert file is newer than the combined file if [[ /etc/letsencrypt/live/$1/fullchain.pem -nt /etc/haproxy/certs/$1.pem ]]; then mkdir -p /etc/haproxy/certs cat /etc/letsencrypt/live/$1/fullchain.pem /etc/letsencrypt/live/$1/privkey.pem > /etc/haproxy/certs/$1.pem #etckeeper commit "got new Let's Encrypt certificate for $1" fi } # Main Execution if [[ (-z $1) || ("$1" != "create" && "$1" != "renew") ]]; then echo "Improper argument: expecting \"create\" or \"renew\"" exit 1 fi . /etc/haproxy/certbot.cfg.sh for site in ${sites[@]}; do $1 $site concat $site done ``` and don't forget to make it executable: ``` chmod +x /usr/local/admin/bin/certbot-haproxy ``` finally, we will make a config file for our certbot script in `/etc/haproxy/certbot.cfg.sh`: ``` #!/bin/bash # domains certbot should get certificates for sites=( medusa.alemor.org ) # port that the standalone certbot server should use port=8888 # email that you will give to Let's Encrypt email=letsencrypt@mario.alemor.org ``` and make it executable as well: ``` chmod +x /etc/haproxy/certbot.cfg.sh ```