Do you need to have HTTPS for your domain? Well you can get FREE wildcard SSL certificates from Letsencrypt as long as you can prove that you own the domain by adding / updating DNS of your domain. You can achieve this in 1-2 hours time by following the below mentioned steps.

1. Create wildcard SSL certificate for your domain using Letsencrypt
2. Integrate Letsencrypt certificates with HAPROXY for SSL termination

1. Let’s Encrypt is a Certificate Authority (CA) to enable HTTPS on your website, by providing you a globally valid certificate (a type of file) for free. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol, which typically runs on your web host *. We are going to use your DNS to confirm our identity

2. HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones. Over the years it has become the de-facto standard opensource load balancer, is now shipped with most mainstream Linux distributions, and is often deployed by default in cloud platforms *.

First we will install haproxy on the server and enable it as a service. You may need to change the command according to your Linux distribution.

 
$  yum install -y haproxy
$  chkconfig haproxy on
    

First we will install lets encrypt certificate bot (certbot) on the server. You may need to change the command according to your Linux distribution. We will then install the certificates using the wizard sequentially using the commands below.

 
$  yum install -y certbot
        
$  certbot -d *.example.com   --manual --preferred-challenges dns certonly --server https://acme-v02.api.letsencrypt.org/directory
$  certbot -d example.com     --manual --preferred-challenges dns certonly --server https://acme-v02.api.letsencrypt.org/directory

$  cat /etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/privkey.pem > /etc/haproxy/star.example.com.pem
$  cat /etc/letsencrypt/live/example.com-0001/fullchain.pem /etc/letsencrypt/live/example.com-0001/privkey.pem > /etc/haproxy/example.com.pem
    

Modify the HAPROXY configuration (/etc/haproxy/haproxy.cfg) to add the certificate location configuration. The configuration should look like shown below.

frontend ft_ssl_vip
  bind 0.0.0.0:443 ssl crt /etc/haproxy/star.example.com.pem crt /etc/haproxy/example.com.pem

  default_backend server_pool_backend      

backend server_pool_backend
  mode http
  option http-server-close
  option forwardfor  
  redirect  scheme https if !{ ssl_fc }
  server server_node1 server1:80 check fall 3 rise 2
  server server_node1 server2:80 check fall 3 rise 2
    

Execute the commands as shown below to see if the configuration works and enjoy FREE SSL for your domain. You may need to change the command according to your Linux distribution. Whilst executing the below commands, you should not get any error messages.

$  haproxy -c -f /etc/haproxy/haproxy.cfg
Configuration file is valid
$  service haproxy stop
$  service haproxy start
$  service haproxy status
Redirecting to /bin/systemctl status haproxy.service
● haproxy.service - HAProxy Load Balancer
   Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2018-08-12 23:04:33 BST; 1 day 22h ago
 Main PID: 3547 (haproxy-systemd)
   CGroup: /system.slice/haproxy.service
           ├─3547 /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid
           ├─3549 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds
           └─3550 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds
$  curl -i https://www.example.com
$  curl -i https://example.com