Hi
I am asking for your help to configure my HAProxy configuration file “version 2.8.5-1~bpo12+1 2023/12/09”
I have two services that use the Acme HTTP-01 challenge and all the others use the DNS-01 challenge. With the latter (DNS-01), the certificates are renewed without problem, I tried to follow this thread for HTTP-01 without success. ACME Challenge Passthrough
Here is my HAProxy config, I left the domains for which the renewal fails:
#---------------------------------------------------------------------
Global settings
#---------------------------------------------------------------------
global
daemon
user haproxy
group haproxy
log /dev/log local6 notice
log /dev/log local5 info
maxconn 100000
chroot /var/lib/haproxy
pidfile /run/haproxy.pid
stats socket /var/run/haproxy/admin.sock mode 777 level admin#---------------------------------------------------------------------
common defaults that all the ‘listen’ and ‘backend’ sections will
use if not designated in their block
#---------------------------------------------------------------------
defaults
mode tcp
option tcplog
log global
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http#---------------------------------------------------------------------
dedicated stats page
#---------------------------------------------------------------------
listen stats
mode http
bind :22222
stats enable
stats hide-version
stats uri /stats
stats realm HAProxy-Statistics
stats auth LOGIN:SECRET
stats refresh 30sstats admin if TRUE
#---------------------------------------------------------------------
Frontend to redirect HTTP to HTTPS with code 301
#---------------------------------------------------------------------
frontend http-redirect
mode http
bind :80 v4v6
http-request redirect scheme https code 301#---------------------------------------------------------------------
main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main_https_listen
bind :443 v4v6
mode tcp
option tcplog
log global
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }#---------------------------------------------------------------------
Common HAProxy nodes configuration
#---------------------------------------------------------------------
-------------------------------
ACLs
-------------------------------
acl acl_mailcowdatanetwork req.ssl_sni -i mail.example1.cloud www.mail.example1.cloud
acl acl_mailcowboubou req.ssl_sni -i mail.example2.me www.mail.example2.me-------------------------------
Conditions
-------------------------------
use_backend backend_mailcowdatanetwork if acl_mailcowdatanetwork
use_backend backend_mailcowboubou if acl_mailcowboubou#---------------------------------------------------------------------
Backends
#---------------------------------------------------------------------
backend backend_mailcowdatanetwork
description MAILCOW DATANETWORK
mode tcp
option ssl-hello-chk
server server_mailcowdatanetwork 192.168.1.7:443
backend backend_mailcowboubou
description MAILCOW BOUBOU
mode tcp
option ssl-hello-chk
server server_mailcowboubou 192.168.1.7:443
Thanks for your help
2 posts - 2 participants