[mschuster91]

Where's your problem? Spin up a certbot docker container and use this here in haproxy:

    frontend http_in
      bind *:80
      bind *:443 ssl crt /path/to/letsencrypt/data/mydomain.pem
      acl path_letsencrypt path_beg /.well-known/acme-challenge
      use_backend letsencrypt if path_letsencrypt
    backend letsencrypt
      mode http
      server server-letsencrypt MYLOCALIP:8080

For the letsencrypt docker image, I use mesosphere/letsencrypt-dcos with a patched run.sh that triggers a docker kill -s HUP on the haproxy container.

[zaarn]

My problem is usually that I rely heavily on traefik being able to very easily issue certificates simply by having a backend with a hostname present.

If I, for example, configure my PHP VM to be reachable over "test.example.org" in Traefik, then Traefik will automatically try to issue a certificate for this domain once it detects the config change.

On HAProxy this is not as easy as I need to tell both LE and HAP about the new backend.

If it was integrated, I would only have to tell HAP.

[mschuster91]

> On HAProxy this is not as easy as I need to tell both LE and HAP about the new backend.

You only need to tell the certbot container the new domain. The frontend config I gave you actually hits before any host-ACLs which means it will pass all acme-challenge requests on all domains to the certbot container, and certbot will reload haproxy when it's done.

[zaarn]

No I need to tell both.

HAP still needs to know where to route the traffic to and LE needs to know which domains are available.