Have an error while trying to load https page with Haproxy (instaled on load balancer server) + Lets Encrypt (instaled on load balancer server) + Nginx (instaled on worker nodes). Please, need your help with this (P.S. Http works good!). Bellow I have attached config files:
UFW rules (all nodes):
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
80 ALLOW Anywhere
443 ALLOW Anywhere
22 ALLOW Anywhere
21 ALLOW Anywhere
3306,4444,4567,4568/tcp ALLOW Anywhere
4567/udp ALLOW Anywhere
8080 ALLOW Anywhere
8443 ALLOW Anywhere
8444 ALLOW Anywhere
8445 ALLOW Anywhere
8443/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)
21 (v6) ALLOW Anywhere (v6)
3306,4444,4567,4568/tcp (v6) ALLOW Anywhere (v6)
4567/udp (v6) ALLOW Anywhere (v6)
8080 (v6) ALLOW Anywhere (v6)
8443 (v6) ALLOW Anywhere (v6)
8444 (v6) ALLOW Anywhere (v6)
8445 (v6) ALLOW Anywhere (v6)
8443/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
/etc/haproxy/haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-A>
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY130>
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 50000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend serv
bind :80
bind :443 ssl crt /etc/haproxy/certs/sp.net.pem
default_backend serv
option forwardfor
backend serv
balance roundrobin
server spnode1 192.168.88.30:80 check
server spnode2 192.168.88.29:80 check
To create a single .pem file for Haproxy, was used this code:
DOMAIN='sp.net' sudo -E bash -c 'cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem > /etc/haproxy/certs/$DOMAIN.pem'
Final file was pasted to directory /etc/haproxy/certs/
Thank you for any help!
