Skip to content
Go to file

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

======================= Letsencrypt for HAProxy

The purpose of this script is to "automate" a bit the generation / renewal of certificates provided by letsencrypt and used by HAProxy.

This script relies on ( as an interface to letsencrypt.


This is pretty simple:

letsencryptforhaproxy call to renew certificate for will temporarily listen on http port 88 on the haproxy box (don't forget to firewall this port...). During the certificate generation, letsencrypt will ping back on a particular URL with a challenge. Purpose of this step is to ensure that the owner of realy owns the domain. So of course, we must configure HAProxy to route those request from letsencrypt to temporary web server.


  1. install somewhere

  2. copy the script letsencryptforhaproxy anywhere in your filesystem and call it from your HAProxy init script (preferably before any start / restart / reload actions). Don't forget to give it execution rights.

  3. configure letsencryptforhaproxy variables:

  • ACMEHOME: where has been installed
  • HAPROXYCERTSHOME: where the certificates for HAProxy may be found
  • ACMEOPTIONS: options to be passed to '' script
  • DOMLIST: list of domain names for which you want to issue / renew a certificate
  • KEYLENGTHLIST: type and size of keys you want to generate certificates for
  • TEST: to use let's encrypt sandbox (recommanded for the first use and during the installation phase)
  1. configure HAProxy:
  • in the frontend processing the domain name being requested:

    frontend f_myapp [...] acl path_letsencrypt path_dir acme-challenge use_backend b_letsencrypt if path_letsencrypt

  • create a backend for temporary webserver:

    backend b_letsencrypt default-server inter 1s fall 1 rise 1 server check

OCSP stapling

Copy the script letsencryptocspforhaproxy anywhere in your filesystem. Don't forget to give it execution rights. This script can be run at any time, since it updates HAProxy through its stats socket.

Configuration of letsencryptocspforhaproxy is the same than for letsencryptforhaproxy, with one more variable:

  • HAPROXY_SOCKET: path to the HAProxy stats socket for update at run time

The best is to run letsencryptocspforhaproxy from the crontab.


Non exhaustive list of third party software used by the scripts here (including

  • openssl
  • nc
  • curl
  • awk
  • socat
  • base64


Quick and simple script using ( to manage letsencrypt ( certificates for HAProxy. This script is supposed to be executed by the init script




No releases published


No packages published


You can’t perform that action at this time.