I'm trying to get the letsencrypt auto renewal working with haproxy.
I've followed these instructions: https://www.digitalocean.com/community/tutorials/how-to-secure-haproxy-with-let-s-encrypt-on-ubuntu-14-04
I get the error:
Attempting to renew cert (api.example.com.nz) from /etc/letsencrypt/renewal/api.example.com.conf produced an unexpected error: Problem binding to port 54321: Could not bind to IPv4 or IPv6.. Skipping.
Here is my haproxy:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 2048
tune.ssl.default-dh-param 2048
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-yourweb-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:EC$
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
option forwardfor
option http-server-close
frontend localhost
bind *:80
mode http
reqadd X-Forwarded-Proto:\ http
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt-backend if letsencrypt-acl
use_backend web1 if { hdr(host) -i example.com }
use_backend web2 if { hdr(host) -i api.example.com }
use_backend web1 if { hdr(host) -i www.example.com }
frontend app_ssl
bind *:443 ssl crt /etc/haproxy/certs/api.example.com.pem
reqadd X-Forwarded-Proto:\ https
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt-backend if letsencrypt-acl
default_backend web2
backend letsencrypt-backend
server letsencrypt 127.0.0.1:54321
Can anyone tell me why it's not getting to the backend?
This is configured on a jump-box, would that be something to do with it?
EDIT
LISTEN 0 128 127.0.0.1:3006 *:* users:(("ssh",pid=7608,fd=5))
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 *:9081 *:*
LISTEN 0 128 *:9082 *:*
LISTEN 0 128 *:9083 *:*
LISTEN 0 128 *:443 *:*
LISTEN 0 128 ::1:3006 :::* users:(("ssh",pid=7608,fd=4))
LISTEN 0 128 :::80 :::*
LISTEN 0 5 :::54321 :::*
LISTEN 0 128 :::22 :::*
Certbot is listening on that port
ubuntu@jump-box:~$ sudo lsof -i :54321
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
certbot 3077 root 8u IPv6 301513579 0t0 TCP *:54321 (LISTEN)
0 Answers