, ,

How to Integrate HAProxy with Let’s Encrypt for SSL Certificate Management

John Timmer Avatar
John Timmer

·

, ,

·

Ensuring a secure HTTPS connection is a critical aspect of maintaining modern web services. Let’s Encrypt offers a fantastic way to automate the issuance of free SSL certificates. In this blog post, we’ll walk through a setup where HAProxy, a popular open-source load balancer, integrates with Let’s Encrypt to automate SSL certificate generation and renewal. This approach enables centralized management of SSL certificates across multiple HAProxy instances, improving security, convenience, and uptime.

Overview of the Setup

In this configuration, we have two HAProxy instances serving as load balancers. Each HAProxy is configured with an Access Control List (ACL) to route Let’s Encrypt’s HTTP-01 challenges to a dedicated backend server, which we refer to as the “SSL Provider.” The SSL Provider uses Certbot to handle SSL certificate generation and renewal. Let’s take a closer look at how to set up this integration.

Step 1: Configure HAProxy for Let’s Encrypt Challenges

For HAProxy to pass Let’s Encrypt HTTP-01 challenges to the SSL Provider, we’ll add an ACL and backend configuration to each HAProxy instance.

  1. Create an ACL for Let’s Encrypt Challenge RequestsThis ACL intercepts requests from Let’s Encrypt for domain validation and directs them to the SSL Provider server for processing.

    # letsencrypt ACL
    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
    use_backend letsencrypt-backend if letsencrypt-acl
  2. Define the Backend for Let’s EncryptThe backend configuration forwards Let’s Encrypt challenge requests to the SSL Provider, located at IP 192.16.10.5 on port 8888.haproxy

    # Backend for letsencrypt
    backend letsencrypt-backend
    server letsencrypt 192.16.10.5:8888

Step 2: Use Certbot to Generate SSL Certificates

When a new domain is added to HAProxy, Certbot can generate SSL certificates for that domain directly on the SSL Provider. Here’s an example command:

certbot certonly --standalone --non-interactive --agree-tos --email your@emailaddress.com --http-01-port 8888 -d newdomain.com -d www.newdomain.com

This command tells Certbot to use HTTP-01 verification on port 8888, which HAProxy routes to the SSL Provider. Certbot then generates SSL certificates for the specified domains.

Step 3: Automate Monthly Certificate Renewal

SSL certificates need regular renewal, so we’ve set up a monthly script on the SSL Provider to handle this process automatically. Here’s the renewal script:

#!/usr/bin/env bash

# Renew the certificates
/usr/bin/certbot renew

# Create a certs.list for HAProxy
echo '/etc/haproxy/certs/prod/newdomain.pem  [alpn h2,http/1.1]' > /tmp/certs/certs.list

# Concatenate new cert files, combining certificate and private key
/bin/bash -c "cat /etc/letsencrypt/live/newdomain.com/fullchain.pem /etc/letsencrypt/live/newdomain.com/privkey.pem > /tmp/certs/newdomain.com.pem"

# Transfer the certs and certs.list to the HAProxy servers
scp -P 2244 /tmp/certs/* root@ha-proxy1:/etc/haproxy/certs/prod/
scp -P 2244 /tmp/certs/* root@ha-proxy2:/etc/haproxy/certs/prod/

# Reload HAProxy with the new certificates
ssh -p 244 root@haproxy1 "systemctl reload haproxy"
ssh -p 244 root@haproxy2 "systemctl reload haproxy"

This script performs the following steps:

  1. Renew Certificates: The script uses certbot renew to update certificates if they’re close to expiry.
  2. Prepare Certificates for HAProxy: Certificates are concatenated with private keys, and certs.list is updated for HAProxy.
  3. Transfer Certificates: The updated certificates and list are securely copied to each HAProxy server.
  4. Reload HAProxy: Each HAProxy server is reloaded to apply the new certificates without downtime.

Benefits of Centralized SSL Management

This centralized SSL management approach offers several advantages:

  • Efficiency: By managing SSL certificates on a single server, you avoid the need for manual updates on each HAProxy instance.
  • Automation: Automatic certificate renewal reduces the risk of certificate expiration, ensuring secure and uninterrupted service.
  • Scalability: As new domains are added, Certbot can issue certificates seamlessly, integrating them with HAProxy’s load balancers.
  • Security: Certificate handling is isolated to the SSL Provider, reducing the complexity and potential risks associated with SSL management across multiple load balancers.

Conclusion

Integrating Let’s Encrypt with HAProxy provides a reliable and automated method for managing SSL certificates across multiple load balancers. By leveraging an SSL Provider with Certbot, you gain centralized control over SSL certificates, ensuring your domains are consistently secure and up to date. With this setup, you can confidently manage HTTPS traffic for an expanding set of domains, while minimizing maintenance efforts and avoiding the risk of expired certificates.

For more high-availability solutions and guides, stay tuned to our blog!

A shoutout to Martin Boer for planting the seed of this idea—sometimes it just takes one spark to light the way!