Haproxy with multiple virtual SSL cert domains 18.05.23

# Working Example to use multiple domains with SSL certs, 3 files:
## example haproxy config file at /etc/haproxy/haproxy.cfg

```console
File Edit Options Buffers Tools Conf Help                                                                                                                                          
global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

# Default SSL material locations                                                                                                                                           
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate                                                                             
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305\
:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend http-in
        bind *:80
	#bind *:443 ssl crt /etc/ssl/ww2.myridia.com.pem                                                                                                                           
	bind *:443 ssl crt /etc/ssl/ww2.myridia.com.pem	  crt /etc/ssl/ww1.myridia.com.pem
        acl letsencrypt-acl path_beg /.well-known/acme-challenge/
        use_backend letsencrypt-backend if letsencrypt-acl

acl host_my hdr(host) -i  ww2.myridia.com
	use_backend my_cluster if host_my

acl host_my hdr(host) -i  ww1.myridia.com
	use_backend my_cluster if host_my

backend my_cluster
        balance leastconn
        option httpclose
        option forwardfor
        server node1 10.3.0.3:80 check

backend letsencrypt-backend
    server letsencrypt 127.0.0.1:8888
    #server n1 65.109.9.188:8031

````

## Bash script at /opt/updatecerts.sh

```console
#!/bin/bash

#0 1 * * * /opt/updatecerts.sh
#certbot certonly -v --standalone -d ww1.myridia.com  --non-interactive --agree-tos --email veto@myridia.com --http-01-port=8888
certbot renew #--force-renewwal

cat /etc/letsencrypt/live/ww2.myridia.com/fullchain.pem /etc/letsencrypt/live/ww2.myridia.com/privkey.pem > /etc/ssl/ww2.myridia.com.pem
cat /etc/letsencrypt/live/ww1.myridia.com/fullchain.pem /etc/letsencrypt/live/ww1.myridia.com/privkey.pem > /etc/ssl/ww1.myridia.com.pem
service haproxy reload

```

## Cron Job file  /etc/cron.d/haproxy

```console
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 1 * * * root /opt/updatecerts.sh

```

https://devops.cisel.ch/lets-encrypt-on-haproxy

Anonymous

Haproxy with multiple virtual SSL cert domains 18.05.23

Information Epoch 1757985522