haproxy certbot

certbot & haproxy:

官方地址：https://certbot.eff.org/lets-encrypt/ubuntuother-haproxy

 

推荐使用webroot 方式，原有服务可以不需要重启；

借助nginx 使用webroot创建静态文件，Let’s Encrypt 服务器会通过域名访问这些隐藏文件，以确认你拥有概域名的控制权；

 

1. 安装certbot

wget https://dl.eff.org/certbot-auto

sudo mv certbot-auto /usr/local/bin/certbot-auto

sudo chown root /usr/local/bin/certbot-auto

sudo chmod 0755 /usr/local/bin/certbot-auto

 

2. 修改haproxy.cfg 配置文件

acl test_search hdr_reg(host) -i  ^(testsearch.jiqid.com)

    acl letsencrypt-acl path_beg /.well-known/acme-challenge/

    use_backend http-search_ssl if test_search letsencrypt-acl

 

backend http-search_ssl

   balance roundrobin

       server yz-be-1_8994 yz-be-1:8994 check port 8994 inter 1500 rise 3 fall 3 maxconn 10 weight 100

 

3. 修改nginx.conf 配置文件

server {

        listen 8994;

        server_name letsencrypt.requests;

        root /var/www/live;

   }

 

4. 验证域名是否可以用

http://testsearch.jiqid.com/.well-known/acme-challenge

 

5. 生产certificate

sudo mkdir /var/www/live

sudo certbot-auto certonly --webroot -w /var/www/live -d testsearch.jiqid.com --agree-tos --email guhua@jiqid.com

输出：

/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a 2.7.x release that supports hmac.compare_digest as soon as possible.

  utils.PersistentlyDeprecated2018,

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator webroot, Installer None

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for testsearch.jiqid.com

Using the webroot path /var/www/live for all unmatched domains.

Waiting for verification...

Cleaning up challenges

 

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/testsearch.jiqid.com/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/testsearch.jiqid.com/privkey.pem

   Your cert will expire on 2019-11-04. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot-auto

   again. To non-interactively renew *all* of your certificates, run

   "certbot-auto renew"

 - If you like Certbot, please consider supporting our work by:

 

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

 

备注：Certbot会创建指向/etc/letsencrypt/live/your_domain_name目录中最新证书文件的符号链接。

 

6. 添加certificate :

1. 在haproxy 目录下创建certs：sudo mkdir -p /etc/haproxy/certs

2. 合并fullchain.pem和privkey.pem：DOMAIN='testsearch.jiqid.com' sudo -E bash -c 'cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem > /etc/haproxy/certs/$DOMAIN.pem'

3. 安全访问包含私钥的组合文件：sudo chmod -R go-rwx /etc/haproxy/certs 

 

7. 修改haproxy配置

frontend www-http

bind haproxy_www_public_IP:80

reqadd X-Forwarded-Proto:\ http

default_backend www-backend

 

frontend www-https

bind *:443 ssl crt /etc/haproxy/certs/testsearch.jiqid.com.pem crt /etc/haproxy/certs/test1search.jiqid.com.pem

reqadd X-Forwarded-Proto:\ https

acl letsencrypt-acl path_beg /.well-known/acme-challenge/

use_backend letsencrypt-backend if letsencrypt-acl

default_backend www-backend

 

backend www-backend

redirect scheme https if !{ ssl_fc }

server www-1 www_1_private_IP:80 check

server www-2 www_2_private_IP:80 check

 

backend letsencrypt-backend

server letsencrypt yz-be-1:8994

 

 

参考：https://blog.youkuaiyun.com/tianjiewang/article/details/79627941

  https://cloud.tencent.com/developer/article/1354579

  http://blog.chinaunix.net/uid-20794884-id-5732872.html