
Building a Node.js Web Server with HAProxy and Let’s Encrypt on Debian Stretch - JamesTheHacker
https://medium.com/@jamesjefferyuk/building-a-nodejs-web-server-with-haproxy-and-lets-encrypt-on-debian-stretch-2fbf16cfba3a
======
stephenr
So many issues in this, I have to assume the author is just copy pasting from
elsewhere.

I can't see how his setup as-is will ever work beyond the initial certificate
lifetime. It _is_ possible to have zero-downtime ACME issued certs with
haproxy, but this isn't it.

~~~
stephenr
Hmm so I can't edit any more, so here's a more detailed critique now that I
can type a bit easier:

\- Certbot is available in the main repo for Stretch, and in Backports for
Jessie, including both cron-based and systemd timer-based auto-renewal jobs.
The file downloaded seems to be a shell script that installs stuff and.. who
knows what else, but it's not exactly clear from a quick glance what the
purpose of it is, as opposed to just `apt install certbot`.

\- If you want to run the standalone ACME authenticator process on non-
standard (i.e. other than 80,443) ports, you need to _tell_ it that using
`--http-01-port` and/or `--tls-sni-01-port` options

\- The setup _seems_ be attempting to use the `http-01` challenge, but it's
doing that in a https front-end, which not only doesn't work (ACME doesn't
make http-01 challenges over https) it _can 't_ work, because haproxy will
never listen on 443 in http mode without the initial certificate. You should
be directing requests to the standalone authenticator for the `http-01`
challenge from a regular http (port 80) front-end, and for the tls-sni-01
challenge from a tcp-mode front-end/listener on port 443.

\- You _don 't_ need to open up any firewall ports for the standalone
authenticator - the ACME requests will come through port 80 or 443.

\- The process of joining certificates for HAProxy (and doing a soft reload)
should be handled as a certbot post-hook, otherwise the subsequent
automatically renewed certificates will never get merged into one file, and
HAProxy will never know about them.

There are numerous other wtf's (those environment variables. Making a `curl`
request instead of `ip addr show`, etc) but those are less "this won't work"
and more "huh?".

~~~
JamesTheHacker
I've addressed everything you've mentioned here. I would greatly appreciate it
if you could take a look and offer any constructive feedback.

Many thanks for your time and help.

~~~
detaro
\- your HAProxy config expects certbot to listen at port 54321. You never
configure certbot to do that, so it won't do it, and renewal will not work.

\- if renewal did work, the certs HAProxy is reading are never replaced.

Really, there are already good tutorials for HAProxy and certbot out there,
why muddy the water with another, broken attempt at one?

If you are setting this up in a test environment and are writing it up as you
go, I recommend having screen recording/shell logging so you can afterwards
check exactly what you did and write it down (at least that has helped me in
the past). If you don't, then you really should do a test run and verify what
you do works. Writing up something you did a while ago without replicating it
makes it really easy to miss crucial steps.

