> Le 15 juin 2017 à 16:42, Simos Xenitellis <simos.li...@googlemail.com> a
> écrit :
>
> On Mon, Jun 12, 2017 at 5:21 PM, Emmanuel Hocdet <m...@gandi.net> wrote:
>> In haproxy 1.8dev, default certificate can now be optional.
>> This patch allow that.
>>
>
> Thanks Manu for looking into this.
>
> Here is my use-case:
>
> 1. A "frontend" would bind on port 80 and then look whether a request
> is from Letsencrypt (URL: ~/.well-known/..). That is, an "http-01"
> challenge request.
> If so, it would forward the connection to a backend that deals with
> certificates (that backend initiated this request in the first place).
> If it is not an "http-01" challenge request, then it would redirect to https.
>
> 2. Another frontend would bind to port 443, and the "bind" line would
> have a new keyword like "disable-if-no-certs".
> If there are no certs yet installed, haproxy would cancel out the
> whole frontend for port 443 and would not bind port 443.
>
>
> Ideally, this would be implemented cleanly if there was a way to simply
> specify
>
> use_frontend myhttps if { ssl_certs_exist }
>
> Also, we could then specify to redirect to https (first frontend
> earlier ) if { ssl_certs_exist }.
>
with this patch you will not need such complicated needs.
just do:
bind :443 ssl strict-sni crt /my/cert/directory/
without this patch you need to have at least one certificate (fake or not)
>
> For this to work, it would require:
>
> 1. Addition of keyboard "use_frontend", just like "use_backend" exists.
> 2. HAProxy should set "ssl_certs_exist" when it loads up, depending on
> whether certificates have been found or not.
>
> Simos
>
>
>>
>>> Le 29 mai 2017 à 11:09, Emmanuel Hocdet <m...@gandi.net> a écrit :
>>>
>>>
>>> Hi Simos,
>>>
>>> The workaround is to have a default (fake) certificat in first and use «
>>> strict-sni » parameter.
>>>
>>> Manu
>>>
>>>> Le 22 mai 2017 à 10:28, Simos Xenitellis <simos.li...@googlemail.com> a
>>>> écrit :
>>>>
>>>> Hi All,
>>>>
>>>> I am trying to automate some tasks with adding multiple https
>>>> (LetsEncrypt) websites,
>>>> and using HAProxy as a TLS Termination Proxy.
>>>>
>>>> The problem is that when you start off with an empty server, there are
>>>> no certificates yet,
>>>> and it is not possible to have "bind *:443 ssl crt
>>>> /etc/haproxy/certs/..." in haproxy.cfg.
>>>>
>>>> LetsEncrypt can work with http, so it could easily use the "bind *:80"
>>>> front-end in the beginning.
>>>>
>>>> Is there a way to express "If no certificates are found in
>>>> /etc/haproxy/certs/, then do not bind *:443"?
>>>>
>>>> Simos
>>>>
>>>
>>
>>
