I have a stack setup that uses the letsencrypt image from the catelog to do ssl termination from the built-in load balancer. I want to force non-ssl pages for my site to go to ssl, so I use this in the haproxy config:
frontend 80
redirect scheme https code 301 if !{ ssl_fc }
This works well. It redirects all my traffic to https, which is what I want. However, because of this, the letsencrypt service can’t be accessed on port 80 for certificate renewal. I have a service rule in place on the load balancer that sends the following path to letsencrypt on port 80:
/.well-known/acme-challenge
Since the haproxy config redirects to ssl, the verification process is never able to access the letsencrypt stack on port 80.
Does anyone have any advice on how to handle this? I’d like to keep forwarding all non-ssl traffic to ssl on my site, but allow an exception for the /.well-known/acme-challenge path to go through on port 80 to renew the certificate.