Configure HaProxy
In order to request certificates you need to add letsencrypt backend exposed to port 8080 and have similar structure to the below section. Remember to configure the backend to your own server
#HA Proxy Config global ulimit-n 500000 maxconn 99999 maxpipes 99999 tune.maxaccept 500 log 127.0.0.1 local0 log 127.0.0.1 local1 notice ca-base /etc/ssl/certs crt-base /etc/ssl/private ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 defaults mode http timeout client 10s timeout connect 5s timeout server 10s timeout http-request 10s frontend http-in # Receive HTTP traffic on all IP addresses assigned to the server at port 80 bind *:80 option forwardfor http-request add-header "X-Forwarded-Proto" "http" acl letsencrypt_http_acl path_beg /.well-known/acme-challenge/ redirect scheme https if !letsencrypt_http_acl { env(FORCE_HTTPS_REDIRECT) -m str true } use_backend letsencrypt_http if letsencrypt_http_acl default_backend webservers frontend https_in bind *:443 ssl crt /usr/local/etc/haproxy/default.pem crt /usr/local/etc/haproxy/certs.d ciphers ECDHE-RSA-AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM option forwardfor http-request add-header "X-Forwarded-Proto" "https" default_backend webservers backend letsencrypt_http server letsencrypt_http_srv 127.0.0.1:8080 backend webservers balance leastconn option tcp-check option log-health-checks server mapserver 10.0.0.96:8999 check inter 5s http-request set-header X-Forwarded-Port %[dst_port]
the docker compose needs to expose the correct port. Moreover the VMs needs to have the required ports open!
Add a new SSL certificate
This will add a new cert using a certbot config that is compatible with the haproxy config template below. After creating the cert, you should run the refresh script referenced below to initialize haproxy to use it. After adding the cert and running the refresh script, no further action is needed.
# request certificate from let's encrypt docker exec haproxy-certbot certbot-certonly --domain YOUR_DOMAIN --email YOUREMAIL --dry-run # create/update haproxy formatted certs in certs.d and then restart haproxy docker exec haproxy-certbot haproxy-refresh
After testing the setup, remove --dry-run to generate a live certificate