Let's Encrypt Auto-Renewal script for HAProxy

haproxy.cfg

global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin
	stats timeout 30s
	user haproxy
	group haproxy
	daemon
	maxconn 2048
	tune.ssl.default-dh-param 2048

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
	ssl-default-bind-options no-sslv3

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http
	option forwardfor
	option http-server-close

frontend www-http
	bind haproxy_www_public_IP:80
	reqadd X-Forwarded-Proto:\ http
	default_backend www-backend

frontend www-https
	bind haproxy_www_public_IP:443 ssl crt /etc/haproxy/certs/example.com.pem
	reqadd X-Forwarded-Proto:\ https
	acl letsencrypt-acl path_beg /.well-known/acme-challenge/
	use_backend letsencrypt-backend if letsencrypt-acl
	default_backend www-backend

backend www-backend
	redirect scheme https if !{ ssl_fc }
	server www-1 www_1_private_IP:80 check
	server www-2 www_2_private_IP:80 check

backend letsencrypt-backend
	server letsencrypt 127.0.0.1:54321

le-renew-haproxy

#!/bin/bash
#
# --------------------------------------------------------------------------------------------
# Letsencrypt Auto Renew Script
# --------------------------------------------------------------------------------------------
# This file automatically renews SSL certificates issued by a letsencrypt server installation
# Original author and idea credit
# - Mitchell Anicas: thisismith (https://github.com/thisismitch)
# - https://gist.github.com/thisismitch/7c91e9b2b63f837a0c4b
# 
# --------------------------------------------------------------------------------------------
# Author Info
# --------------------------------------------------------------------------------------------
# Name :: Tim Kennell Jr. ~ tikenn
#
# --------------------------------------------------------------------------------------------
# Config
# --------------------------------------------------------------------------------------------
# WEB_SERVICE :: web service on computer (e.g. haproxy, nginx, etc.)
# CONFIG_DIR :: directory of config files for letsencrypt domains
# SSL_DIR :: directory to store combined ssl certificates for use be WEB_SERVICE
# LE_PATH :: path to letsencrypt binary file
# LE_CONFIG :: location of letsencrypt/certbot configurations
#
# --------------------------------------------------------------------------------------------
# Setting up crontab
# --------------------------------------------------------------------------------------------
# - Create a file in /etc/cron.d/
# - Suggested to run the file once a week
# - Example line (runs at midnight): "0 0 * * 1 /path/to/le-renew-haproxy"
#
# ~ tikenn

WEB_SERVICE="haproxy"
SSL_DIR="/etc/ssl/private"
ADMIN_EMAIL=admin@example.com

LE_PATH="/usr/bin"
LE_CONFIG="/etc/letsencrypt"

# --------------------------------------------------------------------------------------------
# Core App
# --------------------------------------------------------------------------------------------

# Email errors if they occur
# param String $1 -- email addresses to mail to
# param String $2 -- email body to send
# param String $3 -- email attachment
email_errors() {
	local mailto="$1"
	local email_body="$2"

	echo -e "$email_body" |
	mutt -e "set from=le-auto-renew@$HOSTNAME.server realname='$HOSTNAME'" \
		-s "$HOSTNAME System Maintenance Errors" \
		-- "$mailto"
}

# Email configuration parameters
email_body="Error renewing certificates for a domain.  Check the log files on the server for more info."
error_flag=0

# Use certbot for renewal (note that --renew-hook can't seem to tap into renewed certificate name)
"$LE_PATH/certbot" renew
# "$LE_PATH/certbot" renew\
#	--pre-hook "systemctl stop $WEB_SERVICE" \
#	--post-hook "systemctl start $WEB_SERVICE"
#	# --renew-hook "cat $RENEWED_LINEAGE/fullchain.pem $RENEWED_LINEAGE/privkey.pem > $SSL_DIR/$(echo "$RENEWED_DOMAINS" | cut -d' ' -f1).ssl-unified.pem"

# Catch errors and email regarding them
if (("$?" > 0)) ; then
	error_flag=1
fi

# Loop through domains in "$LE_CONFIG/live" to push combined certs to "$SSL_DIR"
for domain in $(ls -1d "$LE_CONFIG/live/"*/) ; do
	domain=${domain#"$LE_CONFIG/live/"}
	domain=${domain%/}
	cat "$LE_CONFIG/live/$domain/fullchain.pem" "$LE_CONFIG/live/$domain/privkey.pem" > "$SSL_DIR/$domain.ssl-unified.pem"
done

# hacky way to remove blank ssl file
rm "$SSL_DIR/.ssl-unified.pem"

# restart haproxy after moving files over to $SSL_DIR
systemctl restart "$WEB_SERVICE"

# email regarding errors if setup
if which mutt > /dev/null && [ -n "$ADMIN_EMAIL" ] && [ "$error_flag" -eq 1 ] ; then
	email_errors "$ADMIN_EMAIL" "$email_body"

fi

# ---------------------------------------------------------------------------------------------
# End of Core App
# ---------------------------------------------------------------------------------------------