Create SSL certificate using Certbot with manual mode used by HAProxy

Posted November 1, 2022 by Ivan Magdić ‐ 4 min read

In this blog post we will generate a Let's Encrypt SSL certificate using the tool called Certbot. The generated SSL certificate will be used by HAProxy to decrypt and encrypt HTTP data.

Introduction

Certbot is EFF’s tool to obtain certs from Let’s Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.

You can quickly and easily enable SSL/TLS encryption for your applications by using HAProxy SSL termination. HAProxy is compiled with OpenSSL, which allows it to encrypt and decrypt traffic as it passes.

Let’s Encrypt Certbot

With the help of Certbot we will generate wildcard certificate for our imagdic.me domain and all subdomains.

Generating the SSL certificate

sudo certbot certonly --manual --preferred-challenges=dns --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.imagdic.me,imagdic.me

After running the command you will be asked to add a new TXT records on DNS panel. Once finished return to the terminal and press Enter. You will be asked to add another one record. Before confirming the second TXT record wait a few minutes for records to propagate on DNS side.

Example of output after running the command:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for imagdic.me
dns-01 challenge for imagdic.me

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.imagdic.me with the following value:

VRtQUvuSnsVcvH6e45tqOF-T8CjO9lCcod2JJZsHFuc

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.imagdic.me with the following value:

07HuJwQ1mIGi8egcfMWSNlenUQfl44WUyX09bZ8s1bs

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/imagdic.me/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/imagdic.me/privkey.pem
   Your cert will expire on 2023-01-30. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Example of configuration on Namecheap panel: Namecheap TXT records

The TXT host can be “_acme-challenge” since Namecheap adds the host part automatically.

Prepare pem file for HAProxy

The latest version of Certbot generates fullchain.pem and privkey.pem files in /etc/letsencrypt/live/imagdic.me folder. They need to be combined in order to HAProxy to read it properly.

cd /etc/letsencrypt/live/imagdic.me
cat fullchain.pem privkey.pem > imagdic.me.pem

HAProxy

Edit the HAProxy configuration file /etc/haproxy/haproxy.cfg and add the following for the frontend you want to use SSL:

bind *:443 ssl crt /etc/letsencrypt/live/imagdic.me/imagdic.me.pem

Example of frontend and backend sections in HAProxy configuration file would be like following:

frontend .imagdic.me
  bind *:80
  bind *:443 ssl crt /etc/letsencrypt/live/imagdic.me/imagdic.me.pem
  http-request redirect scheme https unless { ssl_fc }
  use_backend servers if { req.hdr(host) -i -m end .imagdic.me }

backend servers
  balance roundrobin
  server server1 <IP>:<PORT> check
  server server2 <IP>:<PORT> check

Renewing certificate?

There are no methods to automate DNS verification, so upon the expiration of certificate, repeat the process.

Conclusion

Check out related posts for more information: