HAProxy环境下使用letsencrypt申请https证书

操作系统：centos7

先下载certbot-auto工具，此工具是用来申请证书并续期的脚本。
wget
chmod a+x certbot-auto

先申请证书：
使用cerbot-auto不需要修改haproxy.cfg配置文件就可以申请到证书。

停止HAProxy服务
systemctl stop haproxy

获取证书（分两次获取两张证书，每个证书对应两个域名）
./certbot-auto certonly --standalone -d a.yourdomain.com -d c.yourdomain.com

./certbot-auto certonly --standalone -d b.yourdomain.com -d d.yourdomain.com


获取到的证书文件保存在
/etc/letsencrypt/live/a.yourdomain.com里面

启动haproxy服务。

合并证书以便haproxy使用
cd /etc/letsencrypt/live/a.yourdomain.com
cat fullchain.pem privkey.pem >>haproxyyoursitea.pem

cd /etc/letsencrypt/live/b.yourdomain.com
cat fullchain.pem privkey.pem >>haproxyyoursiteb.pem


自动续期（续期没有测试是否可以正常使用）
将下列命令加入 cron 即可：
certbot-auto renew --quiet # CentOS/RHEL




具体文档在：



配置haproxy.cfg文件已使用证书
#---------------------------------------------------------------------
# Example configuration for a possible web application.  See the
# full configuration options online.
#
#  
#
#---------------------------------------------------------------------

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    #
    # 1) configure syslog to accept network log events.  This is done
    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    #
    # 2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #
    #    local2.*                       /var/log/haproxy.log
    #
    log         127.0.0.1 local3 err
    log         127.0.0.1 local7 debug
    #log         127.0.0.1 local0 info
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    #stats bind-process
    daemon
                nbproc 4
    tune.ssl.default-dh-param 2048             #这个一定要添加
    crt-base /etc/letsencrypt

     #turn on stats unix socket
    #stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor      # except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

frontend http-in
         bind *:80
         option accept-invalid-http-request 
         acl is_www_yoursitec hdr_end(host) -i yoursitec.yourdomain.com
         acl is_www_yoursited hdr_end(host) -i yoursited.yourdomain.com
         acl is_www_yoursitea hdr_end(host) -i yoursitea.yourdomain.com
         acl is_www_yoursiteb hdr_end(host) -i yoursiteb.yourdomain.com         
         redirect prefix if is_www_yoursitea    #自动跳转到https     
         use_backend www_yoursitec if is_www_yoursitec
         use_backend www_yoursited if is_www_yoursited
         use_backend www_yoursitea if is_www_yoursitea
         use_backend www_yoursiteb if is_www_yoursiteb         
         default_backend www_xianjxx

frontend https
    bind *:443 ssl crt /etc/letsencrypt/haproxyyoursitea.pem crt /etc/letsencrypt/haproxyyoursiteb.pem
   mode http
    reqadd X-Forwarded-Proto:\ https
 use_backend www_yoursitea if { ssl_fc_sni yoursitea.yourdomain.com }
  use_backend www_yoursitec if { ssl_fc_sni yoursitec.yourdomain.com  }
  use_backend www_yoursiteb if { ssl_fc_sni yoursiteb.yourdomain.com  }
  use_backend www_yoursited if { ssl_fc_sni yoursited.yourdomain.com  }
  
 default_backend www_yoursitea

backend www_yoursitec
        cookie SERVERID insert nocache indirect
        option httpchk HEAD /check.txt HTTP/1.0
        option httpclose
        option forwardfor
        server yoursitec 192.168.100.10:80 cookie yoursitec


backend www_yoursited
        cookie SERVERID insert nocache indirect
        option httpchk HEAD /check.txt HTTP/1.0
        option httpclose
        option forwardfor
        server yoursited 192.168.100.10:80 cookie yoursited


backend www_yoursitea
        cookie SERVERID insert nocache indirect
        option httpchk HEAD /check.txt HTTP/1.0
        option httpclose
        option forwardfor
        server yoursitea 192.168.100.10:80 cookie yoursitea


backend www_yoursiteb
        cookie SERVERID insert nocache indirect
        option httpchk HEAD /check.txt HTTP/1.0
        option httpclose
        option forwardfor
        server yoursiteb 192.168.100.10:80 cookie yoursiteb