Skip to content

Instantly share code, notes, and snippets.

@dougalcampbell
Created June 15, 2018 04:34
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save dougalcampbell/d503a1c60c215377f47e42debb1f7fbd to your computer and use it in GitHub Desktop.
Let's Encrypt renewal with haproxy
# The key bit is the 'bind' statement in the frontend
frontend https-in
# match the filename here to your $HAPCERTFILE
bind 10.0.0.1:443 ssl crt /etc/haproxy/certs/combined.pem
reqadd X-Forwarded-Proto:\ https
# acl, use_backend, and other statements...
acl srv_host_1 hdr(host) -i mydomain.com
acl srv_host_2 hdr(host) -i myotherdomain.com
use_backend backend_1 if srv_host_1
use_backend backend_2 if srv_host_2
backend backend_1
server local 127.0.0.1:8080 check
backend backend_2
server www1 www1.myservers.com:80 check
#!/bin/sh
# To renew SSL certs using certbot-auto
PATH=/sbin:/usr/sbin:/usr/local/bin/:/bin:/usr/bin
TODAY=`/bin/date +"%Y%m%d"`
# Customize these:
SITENAME=mydomain.com
HAPCERTPATH=/etc/haproxy/certs
HAPCERTNAME=combined.pem
CERTBOTCMD=/usr/local/bin/certbot-auto
LECERTPATH=/etc/letsencrypt/live/$SITENAME
# Shortcut to the shortcut
HAPCERTFILE=$HAPCERTPATH/$HAPCERTNAME
# Stop services, so cerbot can bind ports for confirmation
service haproxy stop
service nginx stop
$CERTBOTCMD renew
# Backup the old cert file
cp --no-clobber $HAPCERTFILE $HAPCERTFILE.`/bin/date +"%Y%m%d"`
# Combine the fullchain and privkey files for haproxy
cat $LECERTPATH/fullchain.pem \
$LECERTPATH/privkey.pem \
> $HAPCERTFILE
# Restart services
service nginx start
service haproxy start
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment