Renewing Lets Encrypt certificate for use in HAProxy

 1#!/bin/bash
 2
 3# Path to the letsencrypt-auto tool
 4LE_TOOL=/usr/local/letsencrypt/letsencrypt-auto
 5
 6# Directory where the acme client puts the generated certs
 7LE_OUTPUT=/etc/letsencrypt/live
 8
 9# Concat the requested domains
10DOMAINS=""
11for DOM in "$@"
12do
13 DOMAINS+=" -d $DOM"
14done
15
16# Create or renew certificate for the domain(s) supplied for this tool
17#$LE_TOOL --agree-tos --renew-by-default --standalone --standalone-supported-challenges http-01 --http-01-port 9999 certonly $DOMAINS
18i
19# Cat the certificate chain and the private key together for haproxy
20#cat $LE_OUTPUT/$1/{fullchain.pem,privkey.pem} > /etc/ssl/${1}.pem
21
22for DOM in "$@"
23do
24 # Create or renew certificate for the domain(s) supplied for this tool
25 echo "Requesting new certificate for $DOM"
26 $LE_TOOL --agree-tos --renew-by-default --standalone --standalone-supported-challenges http-01 --http-01-port 9999 certonly -d $DOM
27
28cat $LE_OUTPUT/$DOM/{fullchain.pem,privkey.pem} > /etc/ssl/$DOM.pem
29 #DOMAINS+=" -d $DOM"
30done
31# Reload the haproxy daemon to activate the cert
32systemctl reload haproxy
33
34#Copy the new cert files to LB02 and reload HA proxy there too
35scp /etc/ssl/*.pem root@172.16.103.62:/etc/ssl
36ssh root@172.16.103.62 -C "service haproxy reload"

  1#---------------------------------------------------------------------
  2# Example configuration for a possible web application. See the
  3# full configuration options online.
  4#
  5# http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
  6#
  7#---------------------------------------------------------------------
  8
  9#---------------------------------------------------------------------
 10# Global settings
 11#---------------------------------------------------------------------
 12global
 13 # to have these messages end up in /var/log/haproxy.log you will
 14 # need to:
 15 #
 16 # 1) configure syslog to accept network log events. This is done
 17 # by adding the '-r' option to the SYSLOGD_OPTIONS in
 18 # /etc/sysconfig/syslog
 19 #
 20 # 2) configure local2 events to go to the /var/log/haproxy.log
 21 # file. A line like the following can be added to
 22 # /etc/sysconfig/syslog
 23 #
 24 # local2.* /var/log/haproxy.log
 25 #
 26 log 127.0.0.1 local2
 27
 28chroot /var/lib/haproxy
 29 pidfile /var/run/haproxy.pid
 30 maxconn 4000
 31 user haproxy
 32 group haproxy
 33 daemon
 34
 35# turn on stats unix socket
 36 stats socket /var/lib/haproxy/stats
 37
 38#---------------------------------------------------------------------
 39# common defaults that all the 'listen' and 'backend' sections will
 40# use if not designated in their block
 41#---------------------------------------------------------------------
 42defaults
 43 mode http
 44 log global
 45 option httplog
 46 option dontlognull
 47 option http-server-close
 48 option forwardfor except 127.0.0.0/8
 49 option redispatch
 50 retries 3
 51 timeout http-request 10s
 52 timeout queue 1m
 53 timeout connect 10s
 54 timeout client 1m
 55 timeout server 1m
 56 timeout http-keep-alive 10s
 57 timeout check 10s
 58 maxconn 3000
 59
 60#---------------------------------------------------------------------
 61# main frontend which proxys to the backends
 62#---------------------------------------------------------------------
 63#frontend main *:5000
 64# acl url_static path_beg -i /static /images /javascript /stylesheets
 65# acl url_static path_end -i .jpg .gif .png .css .js
 66#
 67# use_backend static if url_static
 68# default_backend app
 69
 70#---------------------------------------------------------------------
 71# static backend for serving up images, stylesheets and such
 72#---------------------------------------------------------------------
 73#backend static
 74# balance roundrobin
 75# server static 127.0.0.1:4331 check
 76
 77#---------------------------------------------------------------------
 78# round robin balancing between the various backends
 79
 80frontend ssl_redirector
 81 bind *:443 ssl crt /etc/ssl/
 82 http-request del-header X-Forwarded-Proto
 83 http-request set-header X-Forwarded-Proto https if { ssl_fc }
 84
 85# Check if this is a letsencrypt request based on URI
 86 acl letsencrypt-request path_beg -i /.well-known/acme-challenge/
 87 # Send to letsencrypt-backend if it is a letsencrypt-request
 88 use_backend letsencrypt_backend if letsencrypt-request
 89
 90default_backend RGWnodes
 91
 92frontend http_redirect
 93 bind *:80
 94 # Redirect to HTTPS if this is not a letsencrypt-request
 95 acl letsencrypt-request path_beg -i /.well-known/acme-challenge/
 96 redirect scheme https code 301 if !letsencrypt-request
 97
 98# Check if this is a letsencrypt request based on URI
 99 #acl letsencrypt-request path_beg -i /.well-known/acme-challenge/
100 # Send to letsencrypt-backend if it is a letsencrypt-request
101 use_backend letsencrypt_backend if letsencrypt-request
102
103backend RGWnodes
104 mode http
105 balance roundrobin
106 option forwardfor
107 option httpchk HEAD / HTTP/1.1\\r\
108Host:localhost
109 server rgw1 172.16.103.51:80 check
110 server rgw2 172.16.103.52:80 check
111
112#http-request set-header X-Forwarded-Port %[dst_port]
113#http-request add-header X-Forwarded-Proto https if { ssl_fc }
114
115backend letsencrypt_backend
116 mode http
117 server letsencrypt 127.0.0.1:9999
118
119listen stats :9000 #Listen on localhost port 9000
120 mode http
121 stats enable #Enable statistics
122 stats hide-version #Hide HAProxy version, a necessity for any public-facing site
123 stats realm Haproxy\\ Statistics #Show this text in authentication popup (escape space characters with backslash)
124 stats uri /haproxy_stats #The URI of the stats page, in this case localhost:9000/haproxy_stats
125 stats auth admin:password #Set a username and password