Quantcast
Channel: HAProxy community - Latest topics
Viewing all articles
Browse latest Browse all 4849

Renew Cert updates but old cert being used?

$
0
0

I am using Haproxy to forward sub-domains to the proper LXD containers. I have multiple containers configured as websites. The method I use to renew LetsEncrypt certs is below and works fine for other sub-domains, but for this one (test.streamingworld.us), the expired cert is used? The cert does renew but the older, expired cert is always used, causing SSL to fail.

certbot certificates yields:
Certificate Name: test.streamingworld.us
Domains: test.streamingworld.us
Expiry Date: 2024-05-27 20:30:36+00:00 (VALID: 86 days)
Certificate Path: /etc/letsencrypt/live/test.streamingworld.us/fullchain.pem
Private Key Path: /etc/letsencrypt/live/test.streamingworld.us/privkey.pem

Here is the haproxy.cfg file:

global
    log 127.0.0.1 syslog debug
    lua-load /etc/haproxy/cors.lua
    maxconn 2000
    tune.ssl.default-dh-param 2048
    user haproxy
    tune.maxrewrite     4096
    group haproxy

    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM

defaults
    log global
    mode http
    option forwardfor
    option http-server-close
    option httplog
    option dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    timeout tunnel  2h  #this is for websocket connections, 2 hours inactivity timeout
    timeout client-fin 5000
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http


frontend http_lb
  bind *:80
  bind *:443 ssl crt /etc/haproxy/certs/
  #redirect scheme https if !{ ssl_fc } # Added code 301
  http-request redirect scheme https unless { ssl_fc }

 acl testbox hdr(host) -i test.streamingworld.us

  acl acl_letsencrypt path_beg /.well-known/acme-challenge/
  use_backend be_letsencrypt if acl_letsencrypt

 use_backend testenv if testbox

backend be_letsencrypt
        server letsencrypt 127.0.0.1:8888

 backend testenv
       balance leastconn
       http-request set-header X-Client-IP %[src]
      redirect scheme https if ! { ssl_fc }
      server testing  10.90.200.247:80 check verify none

I am also posting this to the Letsencrypt forum also.

Your suggestions are much welcome.

Ray

1 post - 1 participant

Read full topic


Viewing all articles
Browse latest Browse all 4849

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>