Using acme and reverse proxy at the same time without interference?

nktech1135 · April 26, 2025, 4:21pm

Hello.
I’m trying to retrieve a certificate using the acme protocol. I know this works because i already did one before setting up haproxy.
However, now i get this when committing.

vyos@vyos# commit

ACME certbot request failed for "support.domain.net"! failed to
run command: certbot certonly --non-interactive --config-dir
/config/auth/letsencrypt --cert-name support.domain.net
--standalone --agree-tos --no-eff-email --expand --server
https://acme-v02.api.letsencrypt.org/directory --email
[email protected] --key-type rsa --rsa-key-size 2048 --domains
support.domain.net --dry-run returned: Simulating a certificate
request for support.domain.net exit code: 1

[[pki]] failed
Commit failed

I think this is because the above command is trying to use standalone mode for certbot even though haproxy is running on port 80.
Here is my config

vyos@vyos# show load-balancing
 reverse-proxy {
     backend docs {
         mode http
         server docs {
             address 10.x.x.21
             port 80
         }
     }
     service http {
         listen-address 103.x.x.204
         mode http
         port 80
         redirect-http-to-https
     }
     service https {
         listen-address 103.x.x.204
         mode http
         port 443
         rule 10 {
             set {
                 redirect-location /certs/
             }
             url-path {
                 exact /.well-known/xxx
             }
         }
         rule 25 {
             domain-name docs.domain.net
             set {
                 backend docs
             }
         }
         ssl {
             certificate docs.domain.net
         }
     }
 }

vyos@vyos# show pki
 certificate docs.domain.net {
     acme {
         domain-name docs.domain.net
         email [email protected]
         listen-address 103.x.x.204
     }
 }
+certificate support.domain.net {
+    acme {
+        domain-name support.domain.net
+        email [email protected]
+    }
+}

How can i tell acme to use webroot instead of standalone for the cert jobs?
Any thoughts anyone?

c-po · April 26, 2025, 9:52pm

Hi, this is most likely related to ⚓ T7122 PKI: Unable to switch from custom cert to ACME when haproxy service is running with 'redirect-http-to-https' option which I am currently working on.

Reason is you can not bind port 80 with two services. We need haproxy to act as ACME reverse-proxy. This is currently being developed within the backend, no user interaction required.

nktech1135 · April 28, 2025, 9:50am

Got it, thanks.
Is there an intermediate solution?
I was hoping to use this instead of running a dedicated rp machine on my new DC setup.

zero1three013 · April 28, 2025, 5:10pm

We actually see issues related to this when we have a HAProxy + ACME validation happening at the same time, eg on system boot/fresh config apply

    load-balancing_reverse-proxy: ConfigError('"TCP" port "80" is used by another service')

Seemingly ACME has already started doing the validation and has taken TCP/80, then when the HAProxy config is applied/starts it errors because ACME has TCP/80 already. If we commit again a little bit after then it’s fine, because ACME has finished and is not longer binding to TCP/80