Sectigo.com
Shop Enterprise Partners Resources

Using the connector

This page describes how to use the connector to automate the certificate lifecycle management on HAProxy load balancers.

All vailable options for the connector
./sectigo-haproxy-connector [--help] [--configure] [--version] [cert info --filename]

Enroll a certificate

Run the connector as a sudo user to enroll certificates for all certificate profiles available in the certificates.yml file. Root privileges are required to update the HAProxy configuration file and restart the HAProxy service. You need to accept the EULA agreement when you use the connector for the first time.

sudo ./sectigo-haproxy-connector

The provisioned certificates can be found in /etc/haproxy/ssl.

Verify SSL enablement

To verify SSL enablement on HAProxy, open the /etc/haproxy/haproxy.cfg file and verify the presense of the bind :443 ssl crt <path_to_certificate> configuration directive, which is added or updated by the connector.

frontend www-https
  mode http
  bind :80
  bind :443 ssl crt /etc/haproxy/ssl/<john_doe_com.pem>
  http-request redirect scheme https unless { ssl_fc }
  default_backend web_servers

For more information about frontend configuration, see Frontend.

Renew a certificate

To renew certificates for all certificate profiles available in the certificates.yml file, run the executable file as a sudo user. If a certificate is within the renewal period specified in the RenewBeforeDays parameter in certificates.yml, the connector requests a new certificate. The old certificate remains valid in SCM unless revoked manually.

sudo ./sectigo-haproxy-connector

Enable auto-renewal

You can create a cronjob that will invoke the script on a schedule (see crontab for cron schedule expressions) to check whether the certificate is eligible for renewal:

  1. Run crontab -e on the terminal.

  2. Select an editor.

  3. Add a cronjob that will trigger the script.

    The following example triggers sectigo-haproxy-connector every week.

    0 0 * * 7 sudo ./sectigo-haproxy-connector

  4. Save the crontab file.

Revoke and replace a certificate

Certificate revocation is done manually in SCM. If a certificate is revoked in SCM, then during the next connector execution, the Sectigo CA server issues a new certificate, unless the certificate profile file has been removed. The connector will attach the new certificate to the HAProxy load balancer.

View the certificate details

You can view the details of a provisioned certificate by using the following command.

sudo ./sectigo-haproxy-connector cert info --filename /etc/haproxy/ssl/<john_doe_com.pem>
Partial example response
Certificate:
  Data:
    Version: 3
    Serial Number: 136789734459515990570979607869763207419
    Signature Algorithm: SHA256-RSA
    Issuer: CN=Murray Issuing CA,O=Murray,L=Ottawa,ST=Ontario,C=CA
    Validity:
      Not Before: 2023-02-15 10:22:45 +0000 UTC
      Not After: 2024-02-15 10:22:45 +0000 UTC
    Subject: CN=john-doe.com,O=SrideviPrivateCA,POSTALCODE=K2J 0V1,STREET=300 March Road,ST=Ontario,C=CA

View the logs

The logs produced by the connector are stored in the ./logs directory. You can change the log level either while configuring the connector through the wizard or by updating the level parameter in the scm.yaml file. For a description of possible values, see Level logging.

Sample log file
time="2023-03-01T11:22:45Z" level=debug msg="configuration from scm.yaml file loaded!"
time="2023-03-01T11:22:45Z" level=debug
time="2023-03-01T11:22:45Z" level=debug msg="processing directory configs"
time="2023-03-01T11:22:45Z" level=debug msg="reading certificates config configs/certificates.yaml..."
time="2023-03-01T11:22:45Z" level=debug msg="configuration from configs/certificates.yaml file loaded!"
time="2023-03-01T11:22:45Z" level=debug msg="certificate count to be processed: 1"
time="2023-03-01T11:22:45Z" level=debug msg="processing certificate: 0 {myfrontend 03011322.ccmqa.com some comment [john.ccmqa.com doe.ccmqa.com *.jane.ccmqa.com] [email protected] 365 RSA 2048 {US Texas Texas Sectigo}}"
time="2023-03-01T11:23:11Z" level=info msg="03011322.ccmqa.com has sent to HAProxy Storage"
time="2023-03-01T11:23:11Z" level=debug msg="updating bind ssl certificate..."
time="2023-03-01T11:23:11Z" level=debug msg="bind :443 was updated successfully!"
time="2023-03-01T11:23:11Z" level=debug
time="2023-03-01T11:23:11Z" level=debug msg="done!"