Get Let's Encrypt certs with HAProxy and Nginx

Get Let's Encrypt certs with HAProxy and Nginx

let's encrypt with haproxy & nginx

I have used Nginx virtual host to get Let’s Encrypt SSL certificates, it’s easy and straightforward. However, when HAProxy was added in front of Nginx, some issues arises. So let’s see how to deal with this.

The problems

Let’s Encrypt authorizes a certificate for a server by requesting a file via an HTTP(S) request. However, HAProxy is not a web server like that Nginx does. It won’t serve files by itself - it will only redirect a request to another server. And the “another server” will configured to Nginx here.

HAProxy setup

When we request a new certificate, Let’s Encrypt will request the authorization file (a URI like /.well-known/acme-challenge/random-hash-here). This request will happen over port 80. Within HAProxy, we need to set an acl if the incoming HTTP request contains the string /.well-known/acme-challenge, and route the request to Nginx (let’s say it’s listening on port 8888).

frontend http_frontend
    bind *:80
    mode http
    tcp-request inspect-delay 10s

    # Let's Encrypt certbot path
    acl certbot-acl path_beg /.well-known/acme-challenge/

    use_backend letsencrypt if certbot-acl

backend letsencrypt
    mode http
    server nginx localhost:8888 check

Reload HAProxy to make the configurations take effect (sudo systemctl reload haproxy).

Nginx setup

Here is the relevant Nginx config:


server {
    listen 8888;
    listen [::]:8888;
    root /var/www/html;

    location ~ /.well-known/acme-challenge {
        allow all;

Notice that the default Nginx server should not listening on port 80 since HAProxy will use it.

New certificates

Run the following command to generate new certificates from Let’s Encrypt:

sudo certbot certonly -d \
    --non-interactive --agree-tos --email \
    --webroot -w /var/www/html

It will put the new certificate files into /etc/letsencrypt/live if everything worked.

Renew certificates

Renew the certs is also easy:

sudo certbot renew -d \
    --webroot -w /var/www/html

Okay, this is how to put these three services all together.

Ads by Google


Frank Lin

Hey, there! This is Frank Lin (@flinhong), one of the 1.41 billion . This 'inDev. Journal' site holds the exploration of my quirky thoughts and random adventures through life. Hope you enjoy reading and perusing my posts.


Setup an IKEv2 server with strongSwan



Setup an IKEv2 server with strongSwan

IKEv2, or Internet Key Exchange v2, is a protocol that allows for direct IPSec tunnelling between networks. It is developed by Microsoft and Cisco (primarily) for mobile users, and introduced as an updated version of IKEv1 in 2005. The IKEv2 MOBIKE (Mobility and Multihoming) protocol allows the client to main secure connection despite network switches, such as when leaving a WiFi area for a mobile data area. IKEv2 works on most platforms, and natively supported on some platforms (OS X 10.11+, iOS 9.1+, and Windows 10) with no additional applications necessary.


Ads by Google