• Stars
    star
    104
  • Rank 330,604 (Top 7 %)
  • Language
    Lua
  • License
    Apache License 2.0
  • Created over 6 years ago
  • Updated almost 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

HAProxy ACME v2 client

Important notice

Beware, the fixes to support for ACME v2 protocol were recently merged, there might be some sharp edges but it should work.

This is a client implementation for ACME (Automatic Certificate Management Environment) protocol, currently draft IETF standard (https://tools.ietf.org/html/draft-ietf-acme-acme-12)

The protocol will be supported by Let's Encrypt project from March 2018. and it is expected that other Certificate Authorities will support this ACME version in the future.

Intro

The main idea of this ACME client is to implement as much functionality inside HAProxy. In addition to supporting single instance HAProxy installations, we also aim to support multi-instance deployments (i.e. you have a cluster of load balancers on which you want to use ACME issued certs).

By using the internal HTTP interface (and http client such as curl), you will be able to execute the following:

  • Upload your own account and domain keys (only RSA keys for now)
  • Automatically register your account on ACME servers (linked to your account key)
  • Request and receive certificates for your domains

The only thing you need to do on your own is to save the received certificate bundles and reload HAProxy.

Requirements

  • A modern HAProxy version (v1.8) with Lua support (check with haproxy -vv | grep USE_LUA=1)
  • haproxy-lua-http - Lua HTTP server/client for HAProxy Lua host
  • json.lua - Lua JSON library
  • luaossl - OpenSSL bindings for Lua

Configuration

Install the required Lua libraries to proper LUA_PATH location, and configure haproxy as follows:

global
    log /dev/log local0 debug
    nbproc 1
    daemon
    lua-load config.lua
    lua-load acme.lua

defaults
    log global
    mode http
    option httplog
    timeout connect 5s
    timeout client 10s
    timeout server 10s

listen http
    bind *:80
    http-request use-service lua.acme if { path_beg /.well-known/acme-challenge/  }

listen acme
    bind 127.0.0.1:9011
    http-request use-service lua.acme

listen acme-ca
  bind 127.0.0.1:9012
  server ca acme-v02.api.letsencrypt.org:443 ssl verify required ca-file letsencrypt-x3-ca-chain.pem
  http-request set-header Host acme-v02.api.letsencrypt.org

letsencrypt-x3-ca-chain.pem is the concatenation of the active root certificate and intermediate certificate in one pem file, available here : https://letsencrypt.org/certificates/

Configuration is kept in a separate Lua file, where you must explicitly set termsOfServiceAgreed option to true in order to be able to acquire certs. Before doing that, please read latest Let's Encrypt terms of service and subscriber agreement available at https://letsencrypt.org/repository/

config = {
    registration = {
        -- You can read TOS here: https://letsencrypt.org/repository/
        termsOfServiceAgreed = false,
        contact = {"mailto:[email protected]"}
    },

    -- ACME certificate authority configuration
    ca = {
        -- HAProxy backend/server which proxies requests to ACME server
        proxy_uri = "http://127.0.0.1:9012",
        -- ACME server URI (also returned by ACME directory listings)
        -- Use this server name in HAProxy config
        uri = "https://acme-v02.api.letsencrypt.org",
    }
}

Key creation

Although Lua module is able to create account key or domain automatically, for performance and security reasons we require that you create your keys separately.

Currently, we only support RSA keys. For account key, key size should be 4096bits, and for domain key 2048bits (minimal key sizes are also enforced by Let's Encrypt).

You can use the following commands to create keys. Note that you need a modern openssl version, we don't use openssl genrsa but openssl genpkey, as we're going to use the same command to create ECDSA keys in the future.

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out account.key
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out example.net.key

Usage

After you have provisioned your keys, you can run certificate order via HTTP. For example by using curl to POST data in multipart/form-data format:

curl -XPOST http://127.0.0.1:9011/acme/order -F '[email protected]' \
     -F 'domain=example.net' -F '[email protected]' \
     -F 'aliases=www.example.net,example.com,www.example.com' \
     -o example.net.pem

Aliases are optional, and we use curl @ syntax to post files. The output is full certificate chain (with key appended), suitable for direct consumption by HAProxy.

More Repositories

1

kubernetes-ingress

HAProxy Kubernetes Ingress Controller
Go
712
star
2

dataplaneapi

HAProxy Data Plane API
Go
296
star
3

helm-charts

Helm chart for HAProxy Kubernetes Ingress Controller
Mustache
138
star
4

haproxy

HAProxy related stuff: scripts, configs, etc...
Shell
119
star
5

client-native

Go client for HAProxy configuration and runtime API
Go
113
star
6

haproxy-lua-oauth

JWT Validation implementation for HAProxy Lua host
Lua
103
star
7

haproxy-consul-connect

HaProxy Connector for Consul Connect. Enables Service Mesh with Consul and HaProxy using TLS and Consul Discovery
Go
93
star
8

config-parser

HAProxy configuration parser
Go
82
star
9

haproxy-lua-http

Simple Lua HTTP helper && client for use with HAProxy.
Lua
54
star
10

vmware-haproxy

Python
52
star
11

haproxy-lua-cors

Lua library for enabling CORS in HAProxy
Lua
43
star
12

spoa-mirror

Mirror HTTP requests using the HAProxy SPOP
C
40
star
13

haproxy-docker-ubuntu

HAProxy CE Docker Ubuntu image
Dockerfile
38
star
14

ingress-controller-benchmarks

Shell
34
star
15

haproxy-docker-alpine

HAProxy CE Docker Alpine image
Dockerfile
29
star
16

cloud-blueprints

Cloud HAPEE integration blueprints
Python
29
star
17

ultimate-configs

23
star
18

spoa-opentracing

C
20
star
19

haproxy-spoa-dotnet

HAProxy Stream Processing Offload Agent (SPOA) library for .NET Core.
C#
15
star
20

haproxy-docker-alpine-quic

HAProxy CE Docker Alpine image with QUIC (quictls)
Dockerfile
12
star
21

haproxy-docker-debian

HAProxy CE Docker Debian image
Dockerfile
11
star
22

models

HAProxy Go structs for API
10
star
23

openshift-haproxy

HAProxy OpenShift Docker image
Makefile
9
star
24

dataplaneapi-specification

HAProxy Data Plane API specification
Go
9
star
25

opentracing-c-wrapper

C
6
star
26

haproxy-dev-lua-filters

Lua filters support for HAProxy (based on the internal filters API)
C
5
star
27

github-actions

HAProxy Github Actions
Go
4
star
28

quic-dev

QUIC support for HAProxy.
C
4
star
29

haproxy-dev-dns

dns loadbalancing and dns over TCP support
C
3
star
30

go-logger

Go package that provides interface for logging
Go
3
star
31

haproxy-consul-connect-docker

Docker repository for HAProxy Connect, service mesh with Consul Connect and HAProxy
Shell
3
star
32

haproxy-qns

Dockerfile
1
star
33

bench-algo-p2c

Benchmark code for the Power-of-two-choices (p2c) algorithm
Python
1
star
34

go-linter

Linter for Go projects
Dockerfile
1
star
35

haproxy-pygments-lexer

Python
1
star
36

spoa-mod_defender

Example of a simple wrapper around the mod_defender WAF for use with HAProxy's SPOE filtering
C
1
star
37

haproxy-docker-debian-quic

HAProxy CE Docker Debian image with QUIC (quictls)
Dockerfile
1
star
38

hcl-converter

Go
1
star