In this tutorial, I’ll be sharing how I configured my HolbertonBnB web servers at ALX with Let’s Encrypt and HAproxy SSL termination.
Let’s Encrypt is a new Certificate Authority (CA) that offers an accessible way to acquire and install free TLS/SSL certificates for web servers, allowing secure communication through encrypted HTTPS. One of the tools offered by Let’s Encrypt is Certbot, a software client that streamlines the certificate acquisition and installation process.
Prerequisites
Before following this tutorial, you’ll need to know/have a few things.
Haproxy: This can be installed through various methods, but for this tutorial, we will be using the simple simple
apt-get install haproxy.
Secure Sockets Layer, SSL, is a protocol for establishing encrypted and authenticated links between networked computers in order to keep internet connections secure and to safeguard sensitive data.
SSL termination reduces the load on your servers while speeding up and simplifying data exchanges. SSL termination allows your application to handle more connections at a time.
Also, you must own or control the registered domain name that you wish to use the certificate with.
Let’s move on to installing Certbot, the Let’s Encrypt client software, once you have completed all the prerequisites.
Step 1: Install Certbot
The first step to obtaining an SSL/TLS certificate is to install Certbot software on your server. Let’s Encrypt’s client is now called Certbot which is used to generate the certificates. To get the latest code you either clone the repository Certbot or use apt-get:
Using apt-get install, first, update the local package index:
$ sudo apt update
$ sudo apt install -y certbot python3-certbot-nginxbash
Step 2 — Obtaining a Certificate
Diving in, the first thing you will require is a certificate. Let’s Encrypt offers multiple plugins to obtain SSL certificates, most of the plugins will only help you with obtaining a certificate that you must manually configure your web server to use.
These plugins are called “authenticators” because they authenticate whether a server should be issued a certificate, without installing it.
Generating the certificate:
The Standalone plugin is a straightforward method for acquiring SSL certificates. It operates by launching a small web server (default on port 80) on your server, which Let’s Encrypt CA uses to verify your server’s identity and issue the certificate. However, to use this method, port 80 must be available.
Make sure that there is nothing listening on port 80. To list usage:
$ netstat -na | grep ':80.*LISTEN'
# Kill everything that might be on this port
$ sudo service haproxy stop
$ sudo certbot certonly --standalone -d www.example.com --non-interactive --agree-tos --email example@gmail.com
After obtaining the cert, you will have the following PEM-encoded files:
- cert.pem: Your domain’s certificate
- chain.pem: Let’s Encrypt chain certificate
- fullchain.pem: a combination of cert.pem and chain.pem
- privkey.pem: the private key to your certificate.
The files themselves are placed in a subdirectory in /etc/letsencrypt/archive. However, Certbot creates symbolic links to the most recent certificate files in the /etc/letsencrypt/live/your_domain_name directory.
Step 3: Configure HAProxy to Accept Encrypted Traffic
To configure HAProxy to accept encrypted traffic for your subdomain, follow these steps:
When setting up SSL termination with HAProxy, you need to combine fullchain.pem and privkey.pem into one file.
first, create the directory where the combined file will be placed, /etc/haproxy/certs :
$ sudo mkdir -p /etc/haproxy/certs
# Next, create the combined file with this cat command (substitute the highlighted example.com with your domain name):
$ DOMAIN='example.com' sudo -E bash -c 'cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem > /etc/haproxy/certs/$DOMAIN.pem'
# Secure access to the combined file, which contains the private key, with this command:
$ sudo chmod -R go-rwx /etc/haproxy/certs
It will create a combined cert under /etc/haproxy/certs/example.com.pem
Haproxy configuration
If haproxy happens to be running, stop it with service haproxy stop.
First, save the default configuration file: cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.old.
Now, overwrite the old one with this new one (comments about what each setting does, are in-lined; they are safe to copy):
### Frontend Sections
frontend www-http
bind *:80
# Adds http header to end of end of the HTTP request
reqadd X-Forwarded-Proto:\ http
# Sets the default backend to use which is defined below with name 'www-backend'
default_backend www-backend
# Add a frontend to handle incoming HTTPS connections
frontend www-https
# Bind 443 with the generated letsencrypt cert.
bind *:443 ssl crt /etc/haproxy/certs/domain.pem
# set x-forward to https
reqadd X-Forwarded-Proto:\ https
# Select a Challenge
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
# Use the challenge backend if the challenge is set
use_backend letsencrypt-backend if letsencrypt-acl
default_backend www-backend
Backend Sections
backend www-backend
# ssl_fc: Returns true when the front connection was made via an SSL/TLS transport
redirect scheme https code 301 if !{ ssl_fc }
server www-1 www_1_private_IP:80 check
server www-2 www_2_private_IP:80 check
backend letsencrypt-backend
# Lets encrypt backend server
server letsencrypt 127.0.0.1:54321
Save this, and start haproxy with sudo service haproxy restart. If you did everything right, it should say nothing. Be sure to validate the config with haproxy -c -f /etc/haproxy/haproxy.cfg.
Also, ensure its running:
$ sudo service haproxy status
Once your server is started, you should be able to open up your website from a different browser, not on your local network, and see that it has a valid certificate installed. In Chrome, you should see a green icon telling you that the cert is valid.
And that is all. HAProxy is now using a free Let’s Encrypt TLS/SSL certificate to securely serve HTTPS traffic.
If you have any questions or encounter any issues during the setup process, please leave a comment below. Thank you for reading!
Sources:
Helpful blog posts that inspired this article:
- This post by Skarlso
- This tutorial by digital ocean
Top comments (0)