On Tue, Nov 14, 2023 at 02:21:44PM +0100, Christoph Kukulies wrote: > Thanks. > > I did a fresh > > acme.sh --issue -d domain ... --keylength 2048 > with prior revoking the certificates since I was a bit unsure what the > partially exposing of my provate key was concerned - thanks, Shawn. > > I went back to the Wiki and found the necessary steps there: > > DEPLOY_HAPROXY_HOT_UPDATE=yes > DEPLOY_HAPROXY_STATS_SOCKET=/var/run/haproxy/admin.sock > DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs acme.sh --deploy -d > www.mydomain.org --deploy-hook haproxy > [Tue Nov 14 02:07:26 PM CET 2023] Deploying PEM file > [Tue Nov 14 02:07:26 PM CET 2023] Moving new certificate into place > [Tue Nov 14 02:07:26 PM CET 2023] Reload successful > [Tue Nov 14 02:07:26 PM CET 2023] Success > acme@mail:~/.acme.sh$ ls -l /etc/haproxy/certs > total 12 > -rw-rw-r-- 1 acme acme 8489 Nov 14 14:07 www.mydomain.org.pem > > Christoph Kukulies > k...@kukulies.org > > > > This file seems to be assembled by the deploy script. (since it contains the > private key). > > So far so good for the first. Got to implement the renewal mechanism now.
I don't think you followed correctly the instruction of the wiki, the DEPLOY_HAPROXY_HOT_UPDATE=yes option is supposed to prevent the reload by using the CLI. It does not look like this is working here. You must have skipped the installation of the deploy script. https://github.com/haproxy/wiki/wiki/Letsencrypt-integration-with-HAProxy-and-acme.sh#acmesh-installation -- William Lallemand
