mar
/
sysadmin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
How to set up/manage services on a computer
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
44 Commits
1 Branch
0 Tags
179 KiB
 
Tree: 42b4a1ee6d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '42b4a1ee6d'
${ noResults }
sysadmin/docs/linux/letsencrypt/certbot.md

2.5 KiB
Raw Blame History

use Certbot to automatically generate and renew Let's Encrypt certificates for HAproxy

Install

install haproxy & certbot:

apt install haproxy certbot

Configure HAproxy HTTP

we need to configure haproxy to reroute Let's Encrypt requests to the certbot server. The beginning of your web frontend should look like:

frontend www
        bind *:80
		option forwardfor
		
        # Reroute certbot requests to certbot
        use_backend certbot if { path_beg /.well-known/acme-challenge/ }
		
		...

and also add a backend:

backend certbot
        server certbot localhost:8888

Configure Certbot

We also want to configure Certbot so we can easily use it for creating/renewing certificates for HAproxy. Edit the file /etc/letsencrypt/cli.ini and add the lines:

standalone
# tls-sni challenge is deprecated
preferred-challenges = http
http-01-port = 8888
deploy-hook = /etc/letsencrypt/deploy-hook.sh

We also need to add the deploy hook script that we referenced in the config file, at /etc/letsencrypt/deploy-hook.sh. The contents of the script should be:

#!/bin/sh

mkdir -p /etc/haproxy/certs
base=$(basename $RENEWED_LINEAGE)
cat $RENEWED_LINEAGE/fullchain.pem $RENEWED_LINEAGE/privkey.pem > /etc/haproxy/certs/$base.pem
#etckeeper commit "got new Let's Encrypt certificate for $base"
service haproxy reload

(Uncomment the etckeeper line if you are using etckeeper to store your configuration). And don't forget to make the script executable:

chmod +x /etc/letsencrypt/deploy-hook.sh

With this configuration, you should be able to run certbot to obtain a certificate. The cron job that is automatically set up when you install certbot will also work correctly with this configuration.

Get Certificate

Run Certbot to get a certificate:

certbot certonly

After successfully acquiring a certificate, the deploy hook will automatically put the combined certificate in /etc/haproxy/certs/ for you.

Configure HAproxy HTTPs

Now that you have HTTPs working, you can configure HAproxy for HTTPs. The beginning of your web frontend should now look like:

frontend www
        bind *:80
        bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1
        option forwardfor
        http-request set-header X-Forwarded-Proto https if { ssl_fc }

        # Reroute letsencrypt requests to certbot
        use_backend certbot if { path_beg /.well-known/acme-challenge/ }

        # Reroute HTTP to HTTPs
        http-request redirect scheme https if !{ ssl_fc }
		
		...