Skip to content

Instantly share code, notes, and snippets.

@haproxytechblog
Last active January 8, 2022 17:22
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
Let’s Encrypt (ACMEv2) for HAProxy
global
log /dev/log local0 debug
nbproc 1
daemon
lua-load config.lua
lua-load acme.lua
defaults
log global
mode http
option httplog
timeout connect 5s
timeout client 10s
timeout server 10s
listen http
bind *:80
http-request use-service lua.acme if { path_beg /.well-known/acme-challenge/ }
userlist acme_users
user acme password $5$Tmx0ttbvZB1TsL$QDbECr8B.rPvB9LWmSypDuVYwJJtReWrh.HWpmZNMaA
listen acme
bind 127.0.0.1:9011
acl acme_auth http_auth(acme_users)
http-request auth realm "HAProxy ACME auth" if !acme_auth
http-request use-service lua.acme
listen acme-ca
bind 127.0.0.1:9012
server ca acme-v02.api.letsencrypt.org:443 ssl verify required ca-file letsencrypt-x3-ca-chain.pem
http-request set-header Host acme-v02.api.letsencrypt.org
config = {
registration = {
-- You can read TOS here: https://letsencrypt.org/repository/
termsOfServiceAgreed = false,
contact = {"mailto:postmaster@example.net"}
},
-- ACME certificate authority configuration
ca = {
-- HAProxy backend/server which proxies requests to ACME server
proxy_uri = "http://127.0.0.1:9012",
-- ACME server URI (also returned by ACME directory listings)
-- Use this server name in HAProxy config
uri = "https://acme-v02.api.letsencrypt.org",
}
}
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out account.key
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out example.net.key
curl -XPOST -u acme:acme http://127.0.0.1:9011/acme/order \
-F 'account_key=@account.key' \
-F 'domain=example.net' \
-F 'domain_key=@example.net.key' \
-F 'aliases=www.example.net,example.com,www.example.com' \
-o example.net.pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment