Renewing Lets Encrypt certificate for use in HAProxy

Here is a script i've put together from a few different sources that renews specified LE certificates, copies them to the HAProxy SSL directory, copies them to the second HAPpoxy server and reloads haproxy on both nodes

Just call like this bash ~/renewLECert.sh domain1.com domain2.com

Will create 2 separate certificates, usefull if you don't want Subject Alternative Names to appear when using a single SSL certificate

 1#!/bin/bash
 2
 3# Path to the letsencrypt-auto tool
 4LE_TOOL=/usr/local/letsencrypt/letsencrypt-auto
 5
 6# Directory where the acme client puts the generated certs
 7LE_OUTPUT=/etc/letsencrypt/live
 8
 9# Concat the requested domains
10DOMAINS=""
11for DOM in "$@"
12do
13 DOMAINS+=" -d $DOM"
14done
15
16# Create or renew certificate for the domain(s) supplied for this tool
17#$LE_TOOL --agree-tos --renew-by-default --standalone --standalone-supported-challenges http-01 --http-01-port 9999 certonly $DOMAINS
18i
19# Cat the certificate chain and the private key together for haproxy
20#cat $LE_OUTPUT/$1/{fullchain.pem,privkey.pem} > /etc/ssl/${1}.pem
21
22for DOM in "$@"
23do
24 # Create or renew certificate for the domain(s) supplied for this tool
25 echo "Requesting new certificate for $DOM"
26 $LE_TOOL --agree-tos --renew-by-default --standalone --standalone-supported-challenges http-01 --http-01-port 9999 certonly -d $DOM
27
28cat $LE_OUTPUT/$DOM/{fullchain.pem,privkey.pem} > /etc/ssl/$DOM.pem
29 #DOMAINS+=" -d $DOM"
30done
31# Reload the haproxy daemon to activate the cert
32systemctl reload haproxy
33
34#Copy the new cert files to LB02 and reload HA proxy there too
35scp /etc/ssl/*.pem root@172.16.103.62:/etc/ssl
36ssh root@172.16.103.62 -C "service haproxy reload"

And the coresponding HAProxy config

  1#---------------------------------------------------------------------
  2# Example configuration for a possible web application. See the
  3# full configuration options online.
  4#
  5# http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
  6#
  7#---------------------------------------------------------------------
  8
  9#---------------------------------------------------------------------
 10# Global settings
 11#---------------------------------------------------------------------
 12global
 13 # to have these messages end up in /var/log/haproxy.log you will
 14 # need to:
 15 #
 16 # 1) configure syslog to accept network log events. This is done
 17 # by adding the '-r' option to the SYSLOGD_OPTIONS in
 18 # /etc/sysconfig/syslog
 19 #
 20 # 2) configure local2 events to go to the /var/log/haproxy.log
 21 # file. A line like the following can be added to
 22 # /etc/sysconfig/syslog
 23 #
 24 # local2.* /var/log/haproxy.log
 25 #
 26 log 127.0.0.1 local2
 27
 28chroot /var/lib/haproxy
 29 pidfile /var/run/haproxy.pid
 30 maxconn 4000
 31 user haproxy
 32 group haproxy
 33 daemon
 34
 35# turn on stats unix socket
 36 stats socket /var/lib/haproxy/stats
 37
 38#---------------------------------------------------------------------
 39# common defaults that all the 'listen' and 'backend' sections will
 40# use if not designated in their block
 41#---------------------------------------------------------------------
 42defaults
 43 mode http
 44 log global
 45 option httplog
 46 option dontlognull
 47 option http-server-close
 48 option forwardfor except 127.0.0.0/8
 49 option redispatch
 50 retries 3
 51 timeout http-request 10s
 52 timeout queue 1m
 53 timeout connect 10s
 54 timeout client 1m
 55 timeout server 1m
 56 timeout http-keep-alive 10s
 57 timeout check 10s
 58 maxconn 3000
 59
 60#---------------------------------------------------------------------
 61# main frontend which proxys to the backends
 62#---------------------------------------------------------------------
 63#frontend main *:5000
 64# acl url_static path_beg -i /static /images /javascript /stylesheets
 65# acl url_static path_end -i .jpg .gif .png .css .js
 66#
 67# use_backend static if url_static
 68# default_backend app
 69
 70#---------------------------------------------------------------------
 71# static backend for serving up images, stylesheets and such
 72#---------------------------------------------------------------------
 73#backend static
 74# balance roundrobin
 75# server static 127.0.0.1:4331 check
 76
 77#---------------------------------------------------------------------
 78# round robin balancing between the various backends
 79
 80frontend ssl_redirector
 81 bind *:443 ssl crt /etc/ssl/
 82 http-request del-header X-Forwarded-Proto
 83 http-request set-header X-Forwarded-Proto https if { ssl_fc }
 84
 85# Check if this is a letsencrypt request based on URI
 86 acl letsencrypt-request path_beg -i /.well-known/acme-challenge/
 87 # Send to letsencrypt-backend if it is a letsencrypt-request
 88 use_backend letsencrypt_backend if letsencrypt-request
 89
 90default_backend RGWnodes
 91
 92frontend http_redirect
 93 bind *:80
 94 # Redirect to HTTPS if this is not a letsencrypt-request
 95 acl letsencrypt-request path_beg -i /.well-known/acme-challenge/
 96 redirect scheme https code 301 if !letsencrypt-request
 97
 98# Check if this is a letsencrypt request based on URI
 99 #acl letsencrypt-request path_beg -i /.well-known/acme-challenge/
100 # Send to letsencrypt-backend if it is a letsencrypt-request
101 use_backend letsencrypt_backend if letsencrypt-request
102
103backend RGWnodes
104 mode http
105 balance roundrobin
106 option forwardfor
107 option httpchk HEAD / HTTP/1.1\\r\
108Host:localhost
109 server rgw1 172.16.103.51:80 check
110 server rgw2 172.16.103.52:80 check
111
112#http-request set-header X-Forwarded-Port %[dst_port]
113#http-request add-header X-Forwarded-Proto https if { ssl_fc }
114
115backend letsencrypt_backend
116 mode http
117 server letsencrypt 127.0.0.1:9999
118
119listen stats :9000 #Listen on localhost port 9000
120 mode http
121 stats enable #Enable statistics
122 stats hide-version #Hide HAProxy version, a necessity for any public-facing site
123 stats realm Haproxy\\ Statistics #Show this text in authentication popup (escape space characters with backslash)
124 stats uri /haproxy_stats #The URI of the stats page, in this case localhost:9000/haproxy_stats
125 stats auth admin:password #Set a username and password