PKI: Unable to switch from custom cert to ACME when haproxy service is running with 'redirect-http-to-https' option
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	c-po
	Feb 1 2025, 6:33 PM

Description

HaProxy option redirect-http-to-https will block port 80 used by certbot

Running Configuration

set pki ca AAACertificateServices certificate 'MIIEMj...'
set pki ca CAcert_Signing_Authority certificate 'MIIEMj...'
set pki ca Sectigo_RSA certificate 'MIIEMj...'
set pki ca USERTrust certificate 'MIIEMj...'
set pki ca USERTrust_RSA certificate 'MIIEMj...'
set pki certificate cloud.XXX.net certificate 'MIIEMj...'
set pki certificate cloud.XXX.net private key 'MIIEMj...'

set load-balancing reverse-proxy backend cloud server lnx03 address '172.16.36.40'
set load-balancing reverse-proxy backend cloud server lnx03 port '443'
set load-balancing reverse-proxy backend cloud ssl ca-certificate 'CAcert_Class_3_Root'
set load-balancing reverse-proxy global-parameters tls-version-min '1.2'
set load-balancing reverse-proxy service cloud backend 'cloud'
set load-balancing reverse-proxy service cloud port '443'
set load-balancing reverse-proxy service cloud redirect-http-to-https
set load-balancing reverse-proxy service cloud rule 10 set redirect-location '/remote.php/dav/'
set load-balancing reverse-proxy service cloud rule 10 url-path exact '/.well-known/caldav'
set load-balancing reverse-proxy service cloud ssl certificate 'cloud.XXX.net'

Enable ACME

set pki certificate LE_cloud acme domain-name cloud.XXX.net
set pki certificate LE_cloud acme email ca@XXX.net
set pki certificate LE_cloud acme rsa-key-size 4096

ACME certbot request failed for "LE_cloud"! failed to run command:
certbot certonly --non-interactive --config-dir /config/auth/letsencrypt
--cert-name LE_cloud --standalone --agree-tos --no-eff-email --expand
--server https://acme-v02.api.letsencrypt.org/directory --email
ca@XXX.net --key-type rsa --rsa-key-size 4096 --domains
cloud.XXX.net --dry-run returned:  exit code: 1

The reason is that certbot can not bind to port 443 which is already in use by haproxy

In addition dry-run complains about:

cpo@BR1.wue3# sudo certbot certonly --non-interactive --config-dir /config/auth/letsencrypt --cert-name LE_cloud --standalone --agree-tos --no-eff-email --expand --server https://acme-v02.api.letsencrypt.org/directory --email ca@XXX.net --key-type rsa --rsa-key-size 4096 --domains cloud.XXX.net --dry-run
Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==2.1.0', 'console_scripts', 'certbot')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/bin/certbot", line 25, in importlib_load_entry_point
    return next(matches).load()
           ^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/importlib/metadata/__init__.py", line 202, in load
    module = import_module(match.group('module'))
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "<frozen importlib._bootstrap>", line 1206, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1178, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1149, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 690, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 940, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 6, in <module>
    from certbot._internal import main as internal_main
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 21, in <module>
    from acme import client as acme_client
  File "/usr/lib/python3/dist-packages/acme/client.py", line 29, in <module>
    from acme import messages
  File "/usr/lib/python3/dist-packages/acme/messages.py", line 20, in <module>
    from acme import fields
  File "/usr/lib/python3/dist-packages/acme/fields.py", line 8, in <module>
    import pyrfc3339
  File "/usr/lib/python3/dist-packages/pyrfc3339/__init__.py", line 17, in <module>
    from pyrfc3339.generator import generate
  File "/usr/lib/python3/dist-packages/pyrfc3339/generator.py", line 1, in <module>
    import pytz
  File "/usr/lib/python3/dist-packages/pytz/__init__.py", line 38, in <module>
    OLSON_VERSION = _read_olson_version()
                    ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/pytz/__init__.py", line 29, in _read_olson_version
    with tzdata_zi.open(encoding="utf-8") as tzdata_zi_file:
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/pathlib.py", line 1045, in open
    return io.open(self, mode, buffering, encoding, errors, newline)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/usr/share/zoneinfo/tzdata.zi'
[edit]

Note: File is missing in 1.4.1 but present in 1.4-stable-202501230755

Details

Version: 1.4.1
Is it a breaking change?: Perfectly compatible
Issue type: Bug (incorrect behavior)

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved	BUG	c-po	T7122 PKI: Unable to switch from custom cert to ACME when haproxy service is running with 'redirect-http-to-https' option
		Resolved	BUG	c-po	T7249 certbot: When using ACME certificates, consuming daemons are not reloaded on update