ccchb
/
ansible
6
1
Fork 1
Code Issues 3 Pull Requests Releases Wiki Activity

Add Let's Encrypt support to emma's HAProxy #13

New Issue
Closed
opened 2020-10-21 09:11:31 -05:00 by crest · 2 comments
crest commented 2020-10-21 09:11:31 -05:00
Owner
Copy Link

FreeBSD's HAProxy package lacks LUA support so we have to use an external ACME implementation. I decided to use acme.sh because it is extensible and has few dependencies (just bash, socat and openssl).

The setup looks like this:

  • HAProxy binds port 80/TCP.
  • It matches on the ACME well known prefix and redirects ACME requests to 127.0.0.1:8080
  • acme.sh responds to the challenges on behalf of HAProxy.
FreeBSD's HAProxy package lacks LUA support so we have to use an external ACME implementation. I decided to use `acme.sh` because it is extensible and has few dependencies (just bash, socat and openssl). The setup looks like this: * HAProxy binds port 80/TCP. * It matches on the ACME well known prefix and redirects ACME requests to 127.0.0.1:8080 * `acme.sh` responds to the challenges on behalf of HAProxy.
crest closed this issue 2020-10-21 09:12:17 -05:00
crest self-assigned this 2020-10-21 09:12:30 -05:00
genofire commented 2020-10-23 02:33:52 -05:00
Owner
Copy Link

On the VMs (nextcloud) we use already dehydranted ... should we use one solution everywhere?

On the VMs (nextcloud) we use already dehydranted ... should we use one solution everywhere?
crest commented 2020-10-23 12:01:14 -05:00
Author
Owner
Copy Link

The problem with dehydrated is that it doesn't work without a real HTTP server because answers the ACME challenges by letting the HTTP service serve them for it. HAProxy ist just a proxy and requires the ACME client to speak HTTP itself. Due to these constraints we can't use dehydrated with HAProxy without installing a HTTP server as well.

I see no pressing reason to standardize on one ACME implementation.

The problem with dehydrated is that it doesn't work without a real HTTP server because answers the ACME challenges by letting the HTTP service serve them for it. HAProxy ist just a proxy and requires the ACME client to speak HTTP itself. Due to these constraints we can't use dehydrated with HAProxy without installing a HTTP server as well. I see no pressing reason to standardize on one ACME implementation.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
crest
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: ccchb/ansible#13
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?