5.1.10.4. HAProxy Certificates Configuration

In the case of using the HAProxy service to serve the web requests that are redirected to the server backend, it will be necessary to install a trusted certificate so that the HTTPS connections are validated. This is typically the case in 2SRA deployments.

This section explains how to configure the HAProxy web certificates.

5.1.10.4.1. Let’s Encrypt web certificate creation

As reflected in the prerequisites. It is necessary to have a Web SSL certificate to avoid the bad user experience of receiving notifications in the user’s web browser and accepting exceptions.

Note

If you already have a company certificate, this step is not necessary. In the case of not having a company certificate, we include the instructions to obtain one through Let’s Encrypt that allows you to generate certificates for free.

Let’s Encrypt certificates last 3 months and must be renewed, either manually or automatically, before they expire. To make the request and generation of the certificate, it will be necessary for the FE machine to have Internet access and addressing to port 443 through the domain.

  1. Connect via SSH to the FE

  2. Install the acme.sh script

#Download and install acme.sh
curl https://get.acme.sh | sh -s email=<email_address>

#Update bash configuration
source ~/.bashrc

  1. Stop the HAProxy service and create the certificate:

#Stop HAProxy
service haproxy stop

#Generate the certificate
acme.sh --issue --standalone -alpn -d <server_domain>

  1. After carrying out the previous process, the certificate and its private key will have been created in a folder with the name of the domain entered when creating it: /root/.acme.sh/<server_domain>/fullchain.cer

Before entering it in the configuration, it’s necessary to create a new file that contains both the certificate and the private key. To create this single file, go to the path where the certificate was generated and execute:

#Access the directory
cd /root/.acme.sh/<server_domain>

#Combination of certificates
cat fullchain.cer <server_domain>.key > cert_emma.pem

5.1.10.4.2. Configuring web certificate in VPN Gateway

In this step, you must configure the VPN Gateway HAProxy service to use the previously generated HTTPS certificate.

  1. Enter the certificate in the FrontEnd:

    1. If we use a certificate generated by the company: Enter the certificate in the folder: “/etc/ssl/certs/” with the file name “cert_emma.pem” where the certificate and the corresponding key are located.

    2. If we use a Let’s Encrypt certificate, from the FrontEnd use the file previously generated.

  2. Enable HTTPS configuration in HAProxy:

    1. Uncomment (remove # from the start) the following lines inside the “FrontEnd” block of the “/etc/haproxy/haproxy.cfg” file:

#bind emmafront:443 ssl crt /etc/ssl/certs/cert_emma.pem no-sslv3 no-tlsv10 no-tls-tickets
#redirect scheme https code 301 if !{ ssl_fc }
#reqadd X-Forwarded-Proto:\ https

  1. Restart the HAProxy service:

systemctl restart haproxy