let's encrypt auto-renewal with haproxy

PUBLISHED ON FEB 19, 2022 / 1 MIN READ — NOTES, SCRIBBLES

There are no doubt a number of ways to deal with adding renewed certificates to HAProxy, but I needed something that would work with Let’s Encrypt certbot and didn’t require reloading HAProxy. Enter HAProxy CLI API and Dynamic SSL Certificate Storage.

There’s really not much to it, you modify the script to your liking, primarily where the logfile goes and perhaps your certificates are in a different directory than the standard out-of-the-box /etc/haproxy/ssl. Once that’s done, copy your script to etc/letsencrypt/renewal-hooks/deploy/le-renew-haproxy.sh (you can call the script whatever you like) and set permissions 750.

Once Let’s Encrypt successfully renews a certificate the script is run and will do the following:

  1. Copy renewed certificate to /etc/haproxy/ssl
  2. Add certificate to HAProxy using the CLI API

Job done.

You can read more about HAProxy Dynamic SSL Certificate Storage if you so wish.