1

I am trying to give SSL on HAProxy using certbot with LetsEncrypt. I am creating SSL with command:

 sudo certbot certonly --standalone -d test.example.com \ --non-interactive --agree-tos --email [email protected] \ --http-01-port=8888

It is creating a new certificate. There is no problem. But If I want to renew the certificate, renewal fails. When I run sudo certbot renew --dry-run. Giving this error:

Processing /etc/letsencrypt/renewal/test.example.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator standalone, Installer None Simulating renewal of an existing certificate for test.example.com Performing the following challenges: http-01 challenge for test.example.com Cleaning up challenges Failed to renew certificate test.example.com with error: Problem binding to port 8888: Could not bind to IPv4 or IPv6.

I am using this source : https://serversforhackers.com/c/letsencrypt-with-haproxy

I am creating my haproxy(HA-Proxy version 2.2.9-2+deb11u6) config like that:

frontend fe-example bind *:4433 ssl crt /etc/haproxy/certs/test.example.com/test.example.com.pem # New line to test URI to see if its a letsencrypt request acl letsencrypt-acl path_beg /.well-known/acme-challenge/ use_backend letsencrypt-backend if letsencrypt-acl default_backend be-example # LE Backend backend letsencrypt-backend server letsencrypt 127.0.0.1:8888 # Normal (default) Backend # for web app servers backend be-example # Config omitted here

But this config not work on me.

My first question is; what is wrong in this HAProxy config? My second question is; is this method for giving SSL certificate true?

Improve this question
4
  • Define "can't do it" and "config not working". Commented Apr 24, 2024 at 13:21
  • @AlexD When I restart the HAProxy, it gives error. Commented Apr 24, 2024 at 13:22
  • You need to describe exactly what kind of errors you are getting. Commented Apr 24, 2024 at 13:23
  • @AlexD Ah yes. Thank you for your notice. Commented Apr 24, 2024 at 13:25

2 Answers 2

Reset to default
1

Error message Problem binding to port 8888: Could not bind to IPv4 or IPv6. indicates that some application is already listening on port 8888. Check output of sudo ss -plnt | grep 8888 to find out.

Improve this answer
1
  • Thank you. There was a docker container using the port. But now it gives this error: Failed to renew certificate test.example.com with error: Some challenges have failed.. Could this be related to the 4433 port in the frontend fe-example? Commented Apr 24, 2024 at 14:36
1

Update

After checked the ports and make sure it is not used I solved this issue with this config:
  • You should use 80 port because acme challenge is using this port for http challenge. So our config looks like that:
frontend fe-example bind *:80 bind *:4433 ssl crt /etc/haproxy/certs/test.example.com/test.example.com.pem # New line to test URI to see if its a letsencrypt request acl letsencrypt-acl path_beg /.well-known/acme-challenge/ use_backend letsencrypt-backend if letsencrypt-acl default_backend be-example # LE Backend backend letsencrypt-backend server letsencrypt 127.0.0.1:8888 # Normal (default) Backend # for web app servers backend be-example # Config omitted here

and then certbot renewals working nicely.

Thank you for your helps.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.