One of the things I love most about Rancher 1.6 is how easy it makes the use of Let's encrypt certificates via Let's encrypt manager for Rancher.
My setup
This is an example of my balancer rules:
| Priority | Protocol | Request Host | Port | Path | |----------|----------|-------------|------|------| | 1 | HTTP | bithavoc.io | 80 | ./well-known/acme-challenge | | 2 | HTTP | bithavoc.io | 80 | / | | 3 | HTTPS | bithavoc.io | 443 | /|
It's mandatory to have ./well-known/acme-challenge at the highest priority for the domain so the cert renewals work properly.
The problem
Of course that I want enforce https in my domain so I copy and pasted the following haproxy rule from Stackoverflow:
frontend 80
redirect scheme https if { hdr(Host) -i bithavoc.io } !{ ssl_fc }It works well until the agent tries to renew a certificate and the existing certificate already expired, Let's encrypt HTTP client will follow up the redirection but the TLS challenge will fail and the renewal fails.
The solution
The solution is surprisingly easy with haproxy using a combination of ACL's and Conditions so we don't enforce http redirectiong for requests where paths begin with /.well-known.
frontend 80
mode http
acl u_is_lets_encrypt_challenge path_beg /.well-known
redirect scheme https if { hdr(Host) -i bithavoc.io } !{ ssl_fc } !u_is_lets_encrypt_challenge