Two (or more) haproxy servers

[trompx]

Hello @janeczku ,

My infra has 2 haproxy servers, and for each domain I want to apply SSL, I setup the DNS with two A domains to the haproxy servers ips (with keepalived and auto DNS update if one load balancer goes down).

Could you advise on how to use your plugin with that setup?

I have one letsencrypt docker container that I can run on any haproxy server and that can either add/renew certificate. Shoud I:

• run the container to add certificate on one haproxy server then sync the certificate to the other server or
• don't use your plugin but instead use a setup like here https://github.com/nmarus/docker-haproxy-certbot where I can set as letsencrypt_http backend only one server so all haproxy servers redirect acme challenge request to a centralized place

Thanks in advance and for providing such a great plugin!

[ryansch]

@trompx I'm running multiple haproxy containers in production and using AWS EFS as a backing store for the webroot directory. This way it doesn't matter where I run the certbot container as all of the haproxy containers can see the challenge data.

[itcrowdsource]

Hi @ryansch I have a similar setup (without Docker) with a shared filesystem for my haproxy servers. But unfortunately the Haproxy servers aren't serving the challenge keys properly. The keys are created on the shared filesystem, but somehow Haproxy can't find these keys. I mounted the shared fileystem as a folder under the root folder of each server (/sharedkey). After that I created a symlink named .well-know in /var/lib/haproxy that points to the /sharedkey folder.

I've also created an issue over here: https://github.com/janeczku/haproxy-acme-validation-plugin/issues/16 where you can see the Haproxy log. It seems that Haproxy doesn't recognize this folder properly. Not sure what's causing this. I've managed to enroll certificates without the shared filesystem previously. So probably it has to do something with that.

Could you explain how you configured your Haproxy environment?

[trompx]

Hey @ryansch, thanks for your feedback. I had so much to do that I did not implemented ssl right away, but what you are suggesting just help to be able to not care if the request is coming to one or the other load balancer. My problem was more how to share the certificates once they have been generated to all load balancers. Guess I will back them up to some cloud storage then download them to all load balancers in a post hook script.