We have had an ongoing problem whereby renewals, or adding a new certificate causes haproxy to no longer respond to requests.
The renewal or issue process via the acme-client works fine and the haproxy service is still running, however I need to actually stop then start the haproxy service to resolve the outage.
Opnsense Version: 19.7.9 (although this problem existed for us prior to this release)
Lets Encrypt Config:
- Auto Renewal = Enabled
- Lets Encrypt Environment = Production
- HAProxy Integration = Enabled
Validation Methods:
- Challenge Type = HTTP-01
- HTTP Service = HAProxy HTTP Frontend Integration
- HAProxy:
- Enable Auto-Configuration = Enabled
- HAProxy Frontends: Our HAProxy frontend that listens on HTTP (80/tcp)
Automations:
A single automation is defined to restart HAProxy
Certificates:
We have four different certificates, two are multi-domain (SAN) certs while then others are single-domain certificates.
All are set to use HTTP-01 validation and with the defined HAProxy restart automation selected.
HAProxy Configuration:
We have two HAProxy frontends (public services) configured.
One listens on port 80 for plain HTTP which is the front-end selected for the Lets Encrypt HTTP-01 validation method. In addition to the automatically added acme redirect rule, this frontend has some select rules in place to redirect some internal services from HTTP -> HTTPS.
The other frontend is our HTTPS listener which has the four certificates included and various rules to direct connections to internal systems.
We have had an ongoing problem whereby renewals, or adding a new certificate causes haproxy to no longer respond to requests.
The renewal or issue process via the acme-client works fine and the haproxy service is still running, however I need to actually stop then start the haproxy service to resolve the outage.
Opnsense Version: 19.7.9 (although this problem existed for us prior to this release)
Lets Encrypt Config:
Validation Methods:
Automations:
A single automation is defined to restart HAProxy
Certificates:
We have four different certificates, two are multi-domain (SAN) certs while then others are single-domain certificates.
All are set to use HTTP-01 validation and with the defined HAProxy restart automation selected.
HAProxy Configuration:
We have two HAProxy frontends (public services) configured.
One listens on port 80 for plain HTTP which is the front-end selected for the Lets Encrypt HTTP-01 validation method. In addition to the automatically added acme redirect rule, this frontend has some select rules in place to redirect some internal services from HTTP -> HTTPS.
The other frontend is our HTTPS listener which has the four certificates included and various rules to direct connections to internal systems.