What are we doing here?

Let's set up HAProxy with some lovely free certs from Let's Encrypt via certbot for a couple of domains. Everything running in docker, and all tied together with docker-compose. We'll use docker user-defined networks, because that's the Right Thing To Do.

This should be easy. Right?

Docker: easy. HAProxy: easy. Let's Encrypt: easy. Docker and HAProxy and Let's Encrypt: minor pain in the arse.

There's a few things that make this a bit of a hassle:

  1. We want haproxy to be running on port 80/443, but those are the ports certbot needs to do validation
    We'll have to do this in two stages.
  2. haproxy with the default config won't start up if it can't resolve the container IPs for the backends.Since certbot is just a command to be run in a container, it probably won't be running when haproxy starts up.
  3. certbot needs to be run once in one way to request the certs, and then every couple of days/weeks in another way to check and renew certs.
    We'll need to different incantations for certbot.
  4. When the certs are renewed, we'll need to tell haproxy to pick them up
    Some docker-in-dockr magic is required.

Table of Contents