Let's Encrypt renewal with haproxy

haproxy.cfg

# The key bit is the 'bind' statement in the frontend

frontend https-in
        # match the filename here to your $HAPCERTFILE
        bind 10.0.0.1:443 ssl crt /etc/haproxy/certs/combined.pem

        reqadd X-Forwarded-Proto:\ https
        
        # acl, use_backend, and other statements...
        acl srv_host_1 hdr(host) -i mydomain.com
        acl srv_host_2 hdr(host) -i myotherdomain.com
        
        use_backend backend_1 if srv_host_1
        use_backend backend_2 if srv_host_2
        
backend backend_1
        server local 127.0.0.1:8080 check
        
backend backend_2
        server www1 www1.myservers.com:80 check
        

renew-certs.sh

#!/bin/sh
# To renew SSL certs using certbot-auto
PATH=/sbin:/usr/sbin:/usr/local/bin/:/bin:/usr/bin
TODAY=`/bin/date +"%Y%m%d"`

# Customize these:
SITENAME=mydomain.com
HAPCERTPATH=/etc/haproxy/certs
HAPCERTNAME=combined.pem
CERTBOTCMD=/usr/local/bin/certbot-auto
LECERTPATH=/etc/letsencrypt/live/$SITENAME

# Shortcut to the shortcut
HAPCERTFILE=$HAPCERTPATH/$HAPCERTNAME

# Stop services, so cerbot can bind ports for confirmation
service haproxy stop
service nginx stop

$CERTBOTCMD renew

# Backup the old cert file
cp --no-clobber $HAPCERTFILE $HAPCERTFILE.`/bin/date +"%Y%m%d"`

# Combine the fullchain and privkey files for haproxy
cat $LECERTPATH/fullchain.pem \
    $LECERTPATH/privkey.pem \
    > $HAPCERTFILE

# Restart services
service nginx start
service haproxy start