Let’s Encrypt With HaProxy

Overview

Using EFF’s goal to encrypt the Internet has spawned a project to issue TLS certificates is a great idea and opens up certificates for everyone and not just for those with money. To balance certificates being miss used, EFF has imposed a 90 day life on certificates issued which means some level of automation is required to ensure certificates are renewed appropriately.

Certbot

EFF has released software called Certbot to handle certificate management. It’s readily available on variety of Linux distributes. This post will go through on a Ubuntu platform.

Certbot was primarily designed to work with web servers such as Apache. This can be seen by the handlers that are available out of the box to configure the end software with the issued certificate.

Install Certbot

Add Debian repository for Certbox:
sudo add-apt-repository ppa:certbot/certbot -y

Update Ubuntu’s software repository from the previous command:
sudo apt-get update

Install Certbot:
sudo apt install certbot -y

Generating Certificate

Certbox requires port 443 (HTTPS) to be available to communicate with the certificate issuing server. If a webserver or HaProxy is running on this port ensure it is stopped before continuing. Once the certificate has been issued, the port is not required. Setting up HaProxy is beyond this article.

Run Certbot and go through the prompts:
sudo certbot certonly

  1. Select option 2 (standalone)
  2. Enter your email address. The email address will be used to notify you when certificates need to be renewed as well as retrieving certificates in the future.
  3. Read and agree or disagree to the terms
  4. Type the domains to issue certificates for. They must match exactly and each one separated by comma or space. For example: dannytsang.co.uk www.dannytsang.co.uk

If successful it will create files in /etc/letsencrypt/live/[domain]/ where [domain] is the name of the domain.

HaProxy

A combined certificate is required for HaProxy. This assumes certificates are held in /etc/haproxy/certs and [domain] is the name of the [domain]
DOMAIN='[domain]' sudo -E bash -c 'cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem > /etc/haproxy/certs/$DOMAIN.pem'

This will create a [domain].pem file in /etc/haproxy/certs

Configure HaProxy to use the combined certificate file.

Summary

Certbot makes it fairly easy to obtain a certificate. Renewing the certificate is another matter due to the number of ways a certificate can be used.

Haproxy on Ubuntu 16.04 (xenial)

How To Secure HAProxy with Let’s Encrypt on Ubuntu 14.04

How to HTTPS with Hugo LetsEncrypt and HAProxy

About Danny

I.T software professional always studying and applying the knowledge gained and one way of doing this is to blog. Danny also has participates in a part time project called Energy@Home [http://code.google.com/p/energyathome/] for monitoring energy usage on a premise. Dedicated to I.T since studying pure Information Technology since the age of 16, Danny Tsang working in the field that he has aimed for since leaving school. View all posts by Danny → This entry was posted in Security, Web Server and tagged , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.