Haproxy Lets Encrypt Certificates

19/10/2023

https://www.digitalocean.com/community/tutorials/how-to-secure-haproxy-with-let-s-encrypt-on-ubuntu-14-04

Certificate Files

After obtaining the cert, you will have the following PEM-encoded files:

cert.pem: Your domain’s certificate
chain.pem: The Let’s Encrypt chain certificate
fullchain.pem: cert.pem and chain.pem combined
privkey.pem: Your certificate’s private key

It’s important that you are aware of the location of the certificate files that were just created, so you can use them in your web server configuration. The files themselves are placed in a subdirectory in /etc/letsencrypt/archive. However, Certbot creates symbolic links to the most recent certificate files in the /etc/letsencrypt/live/your_domain_name directory.

You can check that the files exist by running this command (substituting in your domain name):

sudo ls /etc/letsencrypt/live/your_domain_name

The output should be the four previously mentioned certificate files.

Combine fullchain.pem and privkey.pem

When configuring HAProxy to perform SSL termination, so it will encrypt traffic between itself and the end user, you must combine fullchain.pem and privkey.pem into a single file.

First, create the directory where the combined file will be placed, /etc/haproxy/certs:

sudo mkdir -p /etc/haproxy/certs

Next, create the combined file with this cat command (substitute the highlighted example.com with your domain name):

DOMAIN=‘example.com‘ sudo -E bash -c ‘cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem > /etc/haproxy/certs/$DOMAIN.pem’

Secure access to the combined file, which contains the private key, with this command:

sudo chmod -R go-rwx /etc/haproxy/certs

Now we’re ready to use the SSL cert and private key with HAProxy.