How to handle http to https redirect with load balancer and letsencrypt

I have a stack setup that uses the letsencrypt image from the catelog to do ssl termination from the built-in load balancer. I want to force non-ssl pages for my site to go to ssl, so I use this in the haproxy config:

frontend 80
redirect scheme https code 301 if !{ ssl_fc }

This works well. It redirects all my traffic to https, which is what I want. However, because of this, the letsencrypt service can’t be accessed on port 80 for certificate renewal. I have a service rule in place on the load balancer that sends the following path to letsencrypt on port 80:


Since the haproxy config redirects to ssl, the verification process is never able to access the letsencrypt stack on port 80.

Does anyone have any advice on how to handle this? I’d like to keep forwarding all non-ssl traffic to ssl on my site, but allow an exception for the /.well-known/acme-challenge path to go through on port 80 to renew the certificate.

hey did you ever figure this out? running into the same thing

No, I haven’t solved this yet. So far, I’ve just been manually turning off the SSL redirect to renew the cert, then I turn it back on.

If anyone else has suggestions for this, please let me know.

I do it like this:

acl letsencrypt path_beg /.well-known/acme-challenge/
redirect scheme https code 301 if !letsencrypt !{ ssl_fc }