How the Let’s Encrypt integration with Atomia works and is done.
Overview
If you set the Let’s Encrypt integration as default when using Haproxy as a load balancer for your web clusters, your customers get automatically maintained SSL certificates for all websites – without any action required.
The Let’s Encrypt integration is entirely contained on the Haproxy load balancers. It fetches the web cluster configuration periodically and extracts the list of active websites from there. For each website it maintains SSL certificates from Let’s Encrypt through acmetool, with challenges responded to statelessly through a LUA script added to the Haproxy configuration. Haproxy is then configured to use the Let’s Encrypt certificates, if no other certificate for the same common name exists (i.e. manually added SSL certificates take preference).
Before you begin
The Let’s Encrypt integration requires that your load balancer runs Ubuntu 16.04 (this is due to the version of Haproxy required).
Integrating Let’s Encrypt
The following Puppet variables of the Haproxy puppet module affect the Let’s Encrypt integration:
- certificate_sync_ssh_key: This needs to be set to enable the functionality. It should be set to a private SSH key that can access the web cluster configuration.
- acme_agreement: Should be set to the URL of the agreement you accept when auto-creating accounts. The default should work.
- acme_endpoint: Should be set to the URL of the live Let’s Encrypt endpoint, or testing if you are setting up a test environment. The default should work.
- preview_domain: Verify that this is set to your preview hostname to not create certificates for preview URLs (will cause you to reach rate limits).
- apache_config_sync_source, iis_config_sync_source: Should be set to SCP locations for the corresponding web cluster configuration folders.
If you already have a Haproxy 1.6 load balancer and want to manually set up the Let’s Encrypt integration, the needed configuration can be extracted from the commit where the functionality landed in the default puppet-atomia Haproxy module.