HA Proxy HTTPS offloading not working

I have a Unifi Controller running in an LXC container on a Proxmox server. It uses https at port 8443. I get the security error on my Chrome browswer and would like to use HA Proxy to tie a LetsEncrypt certificate to the Unifi Controller. I’ve watched a couple of Tom’s videos (mutliple times), but can’t make it work.
I’m using a host override to establish the FQDN. I can access the Unifi Controller with the FQDN.
I did successfully obtain a couple of LetsEncrypt certificates using the ACME service, one expressly for the Unifi Controller, and am successfully using one of them for access to pfSense.

The certificate manager shows both. Here’s the one for Unifi:

I’ve set up the backend as follows:

Here are three Frontend shots:



I’ve tried various listening addresses. None work. Can someone tell me what I’m doing wrong?

Disclaimer: I do not use UniFi equipment and my SSL offloading experience comes from using Netscaler devices. So let me ask you some more general questions to fully understand your question):

What is your ultimate goal here? Traffic designed to go to the Unifi Controller is getting an ssl cert error and you want to fix that? What is the specific cert error you are getting? Narrowing it down to that, let’s drill down:

You have a Proxmox server that has created a LXC container, which for you is running the UniFi Controller software, and it has an ip of 192.168.8.15. Per the Edit HAProxy Backend server pool shot, it’s listening on tcp port 8443. And no, Proxmox is not enforcing backend checks on the backend cert (not really needed for a home env.) Nothing at all wrong here.

You want to use the on pfSense cert, not the Unifi Production Cert, correct? Or vice versa?

Will clients be connecting to port 443 or 8443? Per your “front ends” screenshot, you have it set to port 443 ONLY. Is your intention to have clients connect on 443 and get forwarded to port 8443 on the backend?

For certificate trust to work, the Let’s Encrypt server cert you got needs to be linked to the CA that issued you that cert. On a netscaler, that would be a command like "link ssl certKey " where a “certkey name” is a label that refers to a matching cert/key pair, so “link ssl certkey mycervercert LetsEncryptCAcert”. Proxmox has to have equivalent functionality there, and it may be as simple as downloading the CA cert to your Proxmox and linking the two in order to fix your entire problem.

One final note: If you’re using your server cert to host multiple domains, you have a choice of using SANs or SNI.

SNI (Server Name Indication) is where the SSL Client Hello offers in cleartext to the server which particular domain it intends to connect to, and SNI directs the traffic for the appropriate domain.

SAN (Subject Alternative Names) is where the Client Hello does NOT do the above. The cert instead has a list of domain names for which it is responsible. If your domain name is on the list, great. If not, you should get an error in your browser. While it may look similar, it’s not the same error as the trust issue above

On any linux host with openssl on it, do a “openssl x509 -in yourcertfile.crt -text -noout” and that’ll give you the CN and SANs that you added to the original cert request you made, so you can verify that what you want is there.

Everything that was said above but also make sure you have the DNS set to point at the pfsense and a firewall rules to allow it. Many of the HAProxy issues are when the DNS settings are not correct or the port for the WebUI is set the same as HAProx.

Tom, I’m using the DNS-based method of validation for the certificates, so the domain registry does not need to point to my network and I don’t have any firewall rules to permit entry. If I’m mis-interpreting your comment, please let me know.
Kadarin, my ultimate goal is simply to avoid the cert error, as you guessed. The certificate being used is the self-generated certificate in the Unifi controller. The error is that certificate is not trusted.
I initially tried setting up the pfSense cert for use with the Unifi controller. When that didn’t work, I obtained another LetsEncrypt certificate, just for the Unifi controller to see if that would work. It didn’t. I’d be happy if I could get either to work through HAProxy. I suppose it would be more elegant to be able to use the pfSense certificate and delete the Unifi certificate, but that’s not important.
I have tried using both port 443 and port 8443 on the Frontend, just to see if one would work. Again, it doesn’t really matter to me which port I’d use on the Frontend. Just looking for something that will work.
I’m not sure about linking the server cert to the CA. I am using the pfSense cert as the certificate for pfSense, and that works fine, so I assume it has been linked to the CA. The Unifi cert is set up the same way.
I was going to use the pfSense cert through HAProxy for my two Proxmox servers, but in the process I discovered that Proxmox has an ACME process that let’s me obtain LetsEncrypt certs directly for them. I’ve done that for the two Proxmox servers, and those certs work fine. The Unifi controller is just a container running on Proxmox and has its own IP address. I hadn’t anticipated that I’d need to do anything in Proxmox to enable an HTTPS offload for the container itself. If I do need to do something in Proxmox, I don’t know how.
Finally, I’m not using either cert to host multiple domains.
Thank you to both for responding to my plea for help. I had first tried posting my question to the pfSense forum. Although there were a number of views, there were no responses.

Tom, I overlooked your last clause: “when…the port for the WebUI is set the same as HAProx.” I haven’t been able to find a port number for HAProx itself, if that’s what you meant. Probably not. The port on the HAProxy frontend (and backend) is currently set to 8443, the same as the port for the Unifi controller. I assume that’s not what you’re referring to.