search

janeczku / haproxy-acme-validation-plugin

:four_leaf_clover: Zero-downtime ACME / Let's Encrypt certificate issuing for HAProxy
MIT License
291 stars 49 forks source link

Issue with the certbot validation on a two node Haproxy setup (shared filesystem) with IP loadbalancer in front #16

Closed itcrowdsource closed 6 years ago

itcrowdsource commented 6 years ago

I'm currently running a 2 node (chrooted) Haproxy cluster behind an IP load balancer. I was able to successfully validate certificates on one node without the IP load balancer. But now the request is redirected to one of the two Haproxy nodes randomly. Therefore I've created a shared filesystem between the 2 Haproxy nodes which is mounted to the /var/lib/haproxy as .well-known. So on each server there is a shared folder /var/lib/haproxy/.well-known/ (permissions: user root:root 755)

If I trigger the certbot validation process it does create the respective keyfiles on the shared file system in the folder /var/lib/haproxy/.well-known/acme-challenge/

But somehow the Haproxy nodes aren't picking up the requests and the validation fails. A trail of the Haproxy log:

Oct 20 15:18:36 haproxy1 haproxy[396]: 10.108.48.215:11621 [20/Oct/2017:15:18:36.724] www-http-sites webx/ 0/-1/-1/-1/0 302 127 - - LR-- 0/0/0/0/3 0/0 "GET /wp-login.php HTTP/1.0" Oct 20 15:19:06 haproxy1 haproxy[396]: 10.108.33.168:22165 [20/Oct/2017:15:19:06.473] www-http-sites webx/ 0/-1/-1/-1/0 302 193 - - LR-- 0/0/0/0/3 0/0 "GET /.well-known/acme-challenge/2oZ88XdUr9BGdhhNCsFFSDpAzokAOIMb3et6hPAh8bU HTTP/1.1" Oct 20 15:19:06 haproxy1 haproxy[396]: [acme] http-01 token not found: 2oZ88XdUr9BGdhhNCsFFSDpAzokAOIMb3et6hPAh8bU (client-ip: 10.108.33.251) Oct 20 15:19:06 haproxy1 haproxy-systemd-wrapper[361]: haproxy-systemd-wrapper: exit, haproxy RC=0 Oct 20 15:19:06 haproxy1 haproxy-systemd-wrapper[530]: haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds Oct 20 15:19:06 haproxy1 haproxy[531]: [acme] http-01 plugin v0.1.1 Oct 20 15:19:06 haproxy1 haproxy-systemd-wrapper[530]: [info] 292/151906 (531) : [acme] http-01 plugin v0.1.1 Oct 20 15:19:06 haproxy1 haproxy[531]: Proxy www-http-sites started. Oct 20 15:19:06 haproxy1 haproxy[531]: Proxy www-http-sites started. Oct 20 15:19:06 haproxy1 haproxy[531]: Proxy https started. Oct 20 15:19:06 haproxy1 haproxy[531]: Proxy https started. Oct 20 15:19:06 haproxy1 haproxy[531]: Proxy webx started. Oct 20 15:19:06 haproxy1 haproxy[396]: [acme] http-01 token not found: 2oZ88XdUr9BGdhhNCsFFSDpAzokAOIMb3et6hPAh8bU (client-ip: 10.108.33.251) Oct 20 15:19:07 haproxy1 haproxy[532]: 10.108.33.168:28968 [20/Oct/2017:15:19:07.020] www-http-sites webx/ 0/-1/-1/-1/0 302 193 - - LR-- 0/0/0/0/3 0/0 "GET /.well-known/acme-challenge/2oZ88XdUr9BGdhhNCsFFSDpAzokAOIMb3et6hPAh8bU HTTP/1.1" Oct 20 15:19:07 haproxy1 haproxy[532]: 10.108.48.215:7949 [20/Oct/2017:15:19:07.023] www-http-sites webx/ 0/-1/-1/-1/0 302 193 - - LR-- 0/0/0/0/3 0/0 "GET /.well-known/acme-challenge/gry6E4h4GDid-8XGkKkhVWxBYVZf0kOrWXnDkTrLZCY HTTP/1.1" Oct 20 15:19:07 haproxy1 haproxy[532]: 10.108.48.215:13721 [20/Oct/2017:15:19:07.042] www-http-sites webx/ 0/-1/-1/-1/0 302 193 - - LR-- 0/0/0/0/3 0/0 "GET /.well-known/acme-challenge/gry6E4h4GDid-8XGkKkhVWxBYVZf0kOrWXnDkTrLZCY HTTP/1.1" Oct 20 15:19:07 haproxy1 haproxy[532]: 10.108.48.215:15886 [20/Oct/2017:15:19:07.048] www-http-sites webx/ 0/-1/-1/-1/0 302 193 - - LR-- 0/0/0/0/3 0/0 "GET /.well-known/acme-challenge/gry6E4h4GDid-8XGkKkhVWxBYVZf0kOrWXnDkTrLZCY HTTP/1.1" Oct 20 15:19:07 haproxy1 haproxy[532]: 10.108.48.215:12860 [20/Oct/2017:15:19:07.050] www-http-sites webx/ 0/-1/-1/-1/0 302 197 - - LR-- 0/0/0/0/3 0/0 "GET /.well-known/acme-challenge/uSbmjoEqwSo0jBybVpFZBmUCibiJnMt21oHrJ3Icn3w HTTP/1.1" Oct 20 15:19:07 haproxy1 haproxy[532]: 10.108.33.168:28268 [20/Oct/2017:15:19:07.197] www-http-sites webx/ 0/-1/-1/-1/0 302 197 - - LR-- 0/0/0/0/3 0/0 "GET /.well-known/acme-challenge/uSbmjoEqwSo0jBybVpFZBmUCibiJnMt21oHrJ3Icn3w HTTP/1.1" Oct 20 15:19:07 haproxy1 haproxy[532]: 10.108.48.215:12750 [20/Oct/2017:15:19:07.248] www-http-sites webx/ 0/-1/-1/-1/0 302 197 - - LR-- 0/0/0/0/3 0/0 "GET /.well-known/acme-challenge/uSbmjoEqwSo0jBybVpFZBmUCibiJnMt21oHrJ3Icn3w HTTP/1.1" Oct 20 15:19:07 haproxy1 haproxy[532]: [acme] http-01 token not found: gry6E4h4GDid-8XGkKkhVWxBYVZf0kOrWXnDkTrLZCY (client-ip: 10.108.33.251)

Does anyone have a suggestion how to fix this? Or have a good suggestion on how to setup the ACME lua in a clustered Haproxy with IP load balancer environment?

itcrowdsource commented 6 years ago

This problem has been solved. It wasn't related to the lua plugin but using symbolic links to redirect the /.well-known/ folder to a shared folder. After changing the root of haproxy to a physical shared folder the enrolment process started to work.