haproxy: T7122: always reverse-proxy ACL for certbot

Always enable the ACL entry to reverse-proxy requests to the path
"/.well-known/acme-challenge/" when "redirect-http-to-https" is configured for
a given HAProxy frontend service.

This is an intentional design decision to simplify the implementation and reduce
overall code complexity. It poses no risk: a missing path returns a 404, and an
unavailable backend yields an error 503.

This approach avoids a chicken-and-egg problem where certbot might try to
request a certificate via reverse-proxy before the proxy config is actually
generated and active.

By always routing through HAProxy, we also eliminate downtime as port 80 does
not need to be freed for certbot's standalone mode.

1 files changed, 0 insertions, 9 deletions

diff --git a/src/conf_mode/load-balancing_haproxy.py b/src/conf_mode/load-balancing_haproxy.py
index f176009a0..0e959480c 100644
--- a/src/conf_mode/load-balancing_haproxy.py
+++ b/src/conf_mode/load-balancing_haproxy.py
@@ -22,7 +22,6 @@ from shutil import rmtree
 from vyos.config import Config
 from vyos.configverify import verify_pki_certificate
 from vyos.configverify import verify_pki_ca_certificate
-from vyos.defaults import internal_ports
 from vyos.utils.dict import dict_search
 from vyos.utils.process import call
 from vyos.utils.network import check_port_availability
@@ -59,14 +58,6 @@ def get_config(config=None):
                               with_recursive_defaults=True,
                               with_pki=True)
 
-    lb['certbot_port'] = internal_ports['certbot_haproxy']
-
-    if 'service' in lb:
-        for front, front_config in lb['service'].items():
-            for cert in dict_search('ssl.certificate', front_config) or []:
-                if dict_search(f'pki.certificate.{cert}.acme', lb):
-                    lb['service'][front]['ssl'].update({'acme_certificate': {}})
-
     return lb
 
 def verify(lb):