You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2.1 KiB
2.1 KiB
use Certbot to automatically generate and renew Let's Encrypt certificates for HAproxy
Install
install haproxy & certbot:
apt install haproxy certbot
configure haproxy
we need to configure haproxy to reroute Let's Encrypt requests to the certbot server. Add to your web frontend the directive:
frontend www
bind *:80
...
# Reroute certbot requests to certbot
use_backend certbot if { path_beg /.well-known/acme-challenge/ }
and also add a backend:
backend certbot
mode http
server certbot-1 localhost:${port:?}
and then add an update script to /usr/local/admin/bin/certbot-haproxy:
#!/bin/bash
create() {
certbot certonly --standalone -d $1 --non-interactive --agree-tos --email $email --http-01-port=$port
}
renew() {
certbot renew --tls-sni-01-port=$port
}
concat() {
# Only do the concat if the live cert file is newer than the combined file
if [[ /etc/letsencrypt/live/$1/fullchain.pem -nt /etc/haproxy/certs/$1.pem ]]; then
mkdir -p /etc/haproxy/certs
cat /etc/letsencrypt/live/$1/fullchain.pem /etc/letsencrypt/live/$1/privkey.pem > /etc/haproxy/certs/$1.pem
#etckeeper commit "got new Let's Encrypt certificate for $1"
fi
}
# Main Execution
if [[ (-z $1) || ("$1" != "create" && "$1" != "renew") ]]; then
echo "Improper argument: expecting \"create\" or \"renew\""
exit 1
fi
. /etc/haproxy/certbot.cfg.sh
for site in ${sites[@]}; do
$1 $site
concat $site
done
and don't forget to make it executable:
chmod +x /usr/local/admin/bin/certbot-haproxy
finally, we will make a config file for our certbot script in /etc/haproxy/certbot.cfg.sh:
#!/bin/bash
# domains certbot should get certificates for
sites=(
medusa.alemor.org
)
# port that the standalone certbot server should use
port=8888
# email that you will give to Let's Encrypt
email=letsencrypt@mario.alemor.org
and make it executable as well:
chmod +x /etc/haproxy/certbot.cfg.sh