tomdess / docker-haproxy-certbot Goto Github PK

Dockerized HAProxy with Let's Encrypt certificates automatic renewal

Dockerfile 19.05% Shell 51.25% Lua 29.71%

haproxy docker docker-image certbot ssl lets-encrypt letsencrypt docker-compose

docker-haproxy-certbot's Introduction

Dockerized HAProxy with Let's Encrypt automatic certificate renewal capabilities

This container provides an HAProxy instance with Let's Encrypt certificates generated at startup, as well as renewed (if necessary) once a week with an internal cron job.

Usage

Pull from Github Packages ghcr.io:

docker pull ghcr.io/tomdess/docker-haproxy-certbot:master

Build from Dockerfile:

docker build -t docker-haproxy-certbot:latest .

Run container:

Example of run command (replace CERTS,EMAIL values and volume paths with yours)

docker run --name lb -d \
    -e CERT1=my-common-name.domain, my-alternate-name.domain \
    -e [email protected] \
    -e STAGING=false \
    -v /srv/letsencrypt:/etc/letsencrypt \
    -v /srv/haproxycfg/haproxy.cfg:/etc/haproxy/haproxy.cfg \
    --network my_network \
    -p 80:80 -p 443:443 \
    ghcr.io/tomdess/docker-haproxy-certbot:master

Run with docker-compose:

Use the docker-compose.yml file in run directory (it creates 3 containers, the haproxy one, a nginx container linked in haproxy configuration for test purposes and a sidecar rsyslog container)

$ cd run
$ mkdir data
$ cp ../conf/haproxy.cfg data/

# modify CERT1 variables and EMAIL with your names/values:
version: '3'
services:
    haproxy:
        container_name: lb
        environment:
            - CERT1=www.your-mysite.com
            - EMAIL=your-email
            - STAGING=false
        volumes:
            - '$PWD/data/letsencrypt:/etc/letsencrypt'
            - '$PWD/data/haproxy.cfg:/etc/haproxy/haproxy.cfg'
        networks:
            - lbnet
        ports:
            - '80:80'
            - '443:443'
        image: 'ghcr.io/tomdess/docker-haproxy-certbot:master'
    nginx:
        container_name: www
        networks:
            - lbnet
        image: nginx
    rsyslog:
        container_name: rsyslog
        environment:
            - TZ=UTC
        volumes:
            - '$PWD/data/rsyslog/config:/config'
        networks:
            - lbnet
        ports:
            - '514:514'
        image: 'rsyslog/syslog_appliance_alpine'

networks:
  lbnet:

# start containers (creates the certificate)
$ docker-compose up -d

Customizing Haproxy

You will almost certainly want to create an image FROM this image or mount your haproxy.cfg at /etc/haproxy/haproxy.cfg.

docker run [...] -v <override-conf-file>:/etc/haproxy/haproxy.cfg ghcr.io/tomdess/docker-haproxy-certbot:master

The haproxy configuration provided file comes with the "resolver docker" directive to permit DNS runt-time resolution on backend hosts (see https://github.com/gesellix/docker-haproxy-network)

Renewal cron job

Once a week a cron job check for expiring certificates with certbot agent and reload haproxy if a certificate is renewed. No containers restart needed.

Credits

Most of ideas taken from https://github.com/BradJonesLLC/docker-haproxy-letsencrypt

docker-haproxy-certbot's People

Contributors

Stargazers

Watchers

Forkers

eshnil2000 yi-kangsoo mikaelmattsson mwohlert dorucioclea eliknebel twinscodeinc exdatic dannytsang robcza realboutouil pida42 jay2u mickenordin maximago siddiqueahmad aupr th0mi johnny-coding101 h8c jamesee reski-rukmantiyo etnperlong mvenilton gokhanalmas intellisrc varungarg1000 towipf mysteriumnetwork topaciotrade rainisto martinvillysson mrityunjaikumar alihm page-fault-in-nonpaged-area pablo-kabe semteulgaram hans00 fritschauctores korkin25 kpma1985 toomaah hpcmtint esaenz7 kittymac tobiasweede 3bars fsdsabel rmcleay gskorupa radu-bitspot

docker-haproxy-certbot's Issues

Problem with mount

When running the following suggested command with my CERT domain

docker run --name inethi-haproxyssl -d
-e CERTS=inethidev.net
-e EMAIL=[email protected]
-v /srv/letsencrypt:/etc/letsencrypt
-v /srv/haproxycfg/haproxy.cfg:/etc/haproxy/haproxy.cfg
--network inethi-bridge
-p 80:80 -p 443:443
tomdess/haproxy-certbot:latest

I get the follow error

docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused "rootfs_linux.go:58: mounting \"/srv/haproxycfg/haproxy.cfg\" to rootfs \"/var/lib/docker/overlay2/5a375659d70bc6c60811936fd8ecd0ed7f78f042d2369d0b049b1e4a5ddceafa/merged\" at \"/var/lib/docker/overlay2/5a375659d70bc6c60811936fd8ecd0ed7f78f042d2369d0b049b1e4a5ddceafa/merged/etc/haproxy/haproxy.cfg\" caused \"not a directory\""": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type.

Do I need to change something in my mount ... I noticed it created a path /srv/haproxycfg/haproxy.cfg/ where haproxy.cfg was a directory not a file

HAProxy 2.2

Any chance this gets updated to HAProxy 2.2?

I'd really like to use the new native response generator feature of 2.2

Add ability to create many certificates

Hello!
Please, maybe you will add the ability to create separate certificates?
This is necessary so that users do not see other domains located at the same IP address.
Thank you!

How to fix this warning?

Thanks for the great library. I am getting the following warning. Is this fine? how to fix this?

2023-02-18 05:59:11,460 CRIT Supervisor is running as root.  Privileges were not dropped because no user is specified in the config file.  If you intend to run as root, you can set user=root in the config file to avoid this message.
2023-02-18 05:59:11,463 CRIT Server 'inet_http_server' running without any HTTP authentication checking
[info] 048/055912 (22) : [acme] http-01 plugin v0.1.1

Use existing certificates?

Letsencrypt will respond with error if there are too many tries. And it seems inside certs.sh it always attempts a cert renewal on launch.

ERROR in cert-renewal script

error in cron job /cert-renewal-haproxy.sh that prevents the certificate renewal

# docker-compose logs -t | fgrep -v 'HTTP/1.1'
Attaching to www, lb
lb         | 2020-04-28T13:27:04.203755280Z Saving debug log to /var/log/letsencrypt/letsencrypt.log
lb         | 2020-04-28T13:27:04.338940859Z Plugins selected: Authenticator standalone, Installer None
lb         | 2020-04-28T13:27:05.045851002Z Cert not yet due for renewal
lb         | 2020-04-28T13:27:05.046132730Z Keeping the existing certificate
lb         | 2020-04-28T13:27:05.046490134Z 
lb         | 2020-04-28T13:27:05.046502554Z - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
lb         | 2020-04-28T13:27:05.046510017Z Certificate not yet due for renewal; no action taken.
lb         | 2020-04-28T13:27:05.046515379Z - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
lb         | 2020-04-28T13:27:05.317132164Z 2020-04-28 13:27:05,316 CRIT Supervisor running as root (no user in config file)
lb         | 2020-04-28T13:27:05.325452626Z 2020-04-28 13:27:05,325 CRIT Server 'inet_http_server' running without any HTTP authentication checking
lb         | 2020-04-28T13:27:06.342159924Z [info] 118/132706 (20) : [acme] http-01 plugin v0.1.1
lb         | 2020-04-30T08:05:01.993959982Z Certificate will not expire
lb         | 2020-04-30T08:05:01.994006469Z /cert-renewal-haproxy.sh: line 44: LOGFILE: unbound variable
lb         | 2020-05-07T08:05:01.214924721Z Certificate will not expire
lb         | 2020-05-07T08:05:01.215283306Z /cert-renewal-haproxy.sh: line 44: LOGFILE: unbound variable

i want create ssl in each new domain

hi
I have a saas system in which the user can define other domains. And by setting the saas server ip on any domain with ssl, it can see saas.
After much research, I came to the conclusion that haproxy can solve this problem . do this package can solve my problem??

Removed ACME?

Can you explain the removal of the acme file and recent changes?

I'm trying to understand how this will impact my setup, I'm worried my certs won't renew now.

I used to have (trimmed to minimize clutter):

global
  lua-load /etc/haproxy/acme-http01-webroot.lua

frontend http-https-in
  bind *:80
  bind *:443 ssl crt /etc/haproxy/certs/ no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11
  mode http
  monitor-uri /health
  acl letsencrypt_http_acl path_beg /.well-known/acme-challenge/
  use_backend letsencrypt_http if letsencrypt_http_acl

backend letsencrypt_http
  mode http
  server letsencrypt_http_srv 127.0.0.1:8080

However, after updating, that lua-load threw an error, so I commented it out. Do I not need it at all?

Cert renewal blocks HAProxy indefinitely with Websocket connections

Currently this container image is sending SIGUSR1 to HAProxy after renewing certificates to reload the config. This triggers a "soft-stop", which waits for all requests/connections to finish before restarting the server.

When proxying Websocket connections (which are usually open indefinitely), the soft-stop will never succeed, and at the same time HAProxy will not accept new connections anymore.

Possible solutions:

Use a hard-reload instead of a soft-reload.
This could be done by sending SIGTERM instead, but can also be done by setting hard-stop-after to a small value in the HAProxy config (e.g. hard-stop-after 1ms).
Dynamically reload the SSL certs using the set ssl cert command (see blog post)
This has the advantage that existing requests/connections are not affected, and SSL certs are reloaded on-the-fly, but it's more work and must be done in the renewal script.

This issue probably also affects HTTP proxies (but only slighlty), in that the proxy will not accept any requests for a brief period while renewing certs (depending on how long the requests take to finish).

SSL Haproxy: fullchain.pem missing private key

Hi,

thanks for providing this image.
I'm currently struggling to get my renewed certificate to be utilized properly.
Certbot creates the following files for me:

privkey.pem : the private key for your certificate.
fullchain.pem: the certificate file used in most server software.
chain.pem : used for OCSP stapling in Nginx >=1.3.7.
cert.pem : will break many server configurations, and should not be used
without reading further documentation (see link below).

And when I now try and get haproxy to utilize the fullchain.pem for my HTTPS traffic I get the following error:

'bind *:443' : No Private Key found in 'fullchain.pem' or 'fullchain.pem.key'.

Is there a designated way for this image to handle this concatenation or am I supposed to handle this (externally?) e.g.:

cat fullchain.pem privkey.pem > full.pem

And configure my haproxy to utilize the full.pem?

Much appreciated. Thanks!

Unable to stat SSL from file

Hi,

thanks again for your time.
I'm currently encountering the following issue with SSL certificates:

parsing [/etc/haproxy/haproxy.cfg:36] : 'bind *:443' : unable to stat SSL certificate from file '/etc/haproxy/certs/' : No such file or directory.

I have mounted /etc/letsencrypt and /etc/haproxy/haproxy.cfg as per your example. This is something that has recently appeared without any intended change from me. The insight I'm currently lacking is how the letsencrypt certs are transferred to the /etc/haproxy/certs folder within the container.

Best
Tobi

Wildcard verification failing with CERTS with docker-compose

Very nice container, worked very well except I might have a problem with a wildcard domain.

*.domain.suffix in the CERTS variable in a docker-compose results in an error that certbot cannot perform the challenge (suggesting to use DNS, which I would not prefer at all)

If I remove the wildcard, everything goes fine. Could this be a 'special character' thing? I triple checked our DNS and wildcard is definitely pointing towards our server (although we do have another subdomain pointing to another server as well).

docker build for arm

It's possible make docker build for arm?

EMAIL variable is unbound in cert-renewal-haproxy script

It appears that when using supervisord, you must explicitly pass in environment variables through the configuration. This leads to an issue on cert renewal where the EMAIL variable is accessed in cert-renewal-haproxy.sh but isn't set crashing the script and failing to renew certs.

Upload to Dockerhub

Hey,

I really like your Docker Container. Could you also upload it to dockerhub?
I would do it myself, but I don't want to claim work I did not do :)

Pass HAProxy v2.4 to v2.8

Can you do a new release off 2.2.1[23]?

The docker hub image is currently built on 2.2.11 and there is a regression in rate limiting that was fixed in 2.2.12 (there's now a 2.2.13 as well). Which I need fixed.

haproxy/haproxy#1196

I assume it's trivial for you to just kick off a new release but if it's a problem, let me know and I'll look for an alternative way to get it done 😄

haproxy doesn't reload after cert renewal

Hi,

supervisorctl cannot connect to the url http://localhost:9001, so after renewal, the certs are not reloaded.

Can be fixed by adding the unix_http_server section to the custom supervisord.conf

[supervisorctl]
# serverurl=http://localhost:9001
serverurl=unix:///tmp/supervisor.sock ; 

[unix_http_server]
file=/tmp/supervisor.sock ; 

[supervisord]
# ...

Container takes time to stop

Hello everyone and thank you for sharing this excellent Dockerfile which is very useful to me.

I'm not an expert in Dockerfile (and Docker) but I was wondering about container downtime.

Indeed, on my side, the container using the built image takes more than 30 seconds to stop. So I think that a process is not stopping correctly and Docker is waiting for a timeout to take control and kill everything.

Anyone have an idea how to fix this? Or does it only affect my setup peharps? :)

I'm using the raw Dockerfile from this repo, I just modified a few things in the configuration files but nothing that could justify this long downtime.

I use docker-compose to launch the containers.

Thanks for the feedback.