Securing a website container behind HAproxy?

Here we go again. I actually have what I need working. However, due to my own stupidity, I have lost my notes on how I actually did this using Letsencrypt for SSL. In general, I have an Ubuntu 18.04 host and two LXD 3.0.3 containers. Onecontainer is for HAproxy, the other is hosting a nodejs website. The main host does port 80 and 443 forwarding to the HAproxy container, which in turn routes based on the sub-domain, to the nodejs/website container on a specific port. This works fine and once I got this to work, I jumped for joy! But like I said, my carelessness in documenting is killing me now. My Letsencrypt cert will expire in 18 days and the renew process is not working. Please see the attachment for more details. Basically looking for recommendation on how to secure the website(SSL) using Letsencrypt.Any help would be appreciated. Ray

This is probably off topic for this forum but :man_shrugging:

You don’t really provide enough specific information about where your getting your certs, does haproxy perform SSL/TLS termination (I.E node just listens on http or uses a self signed cert) or does the node service listen on HTTPS and uses a cert from letsencrypt ?

What does /etc/haproxy/haproxy.cfg say about SSL certificates ?

isn’t it just certbot renew or did you do some other magic combination of commands when you set it up?

Do you need to do a extra configuration on haproxy for letsencrypt.
This is a tutorial about It

Here is the haproxy.cfg:
So I am confused on where I need to add certs: In the host server, lxd container hosting haproxy or the lxd container hosting the nodejs webserver?

frontend http_lb
  bind *:80
  bind *:443 ssl crt /etc/haproxy/certs/
  acl website hdr(host) -i streamingworld.us www.streamingworld.us
  acl broadcast hdr(host) -i bcast.streamingworld.us
  acl acl_letsencrypt path_beg /.well-known/acme-challenge/
  use_backend be_letsencrypt if acl_letsencrypt
  use_backend mainweb if website
  use_backend bcast1 if broadcast

backend be_letsencrypt
        server le 127.0.0.1:9001

backend mainweb
  balance leastconn
# We set the X-Client-IP HTTP header. This is usefull if we want the web server to know the real client IP.
  http-request set-header X-Client-IP %[src]
  redirect scheme https if ! { ssl_fc }
  # This backend, named here "mainweb", directs to container "mainweb.lxd" (hostname).
  server website website.lxd:80 check

backend bcast1
  balance leastconn
  http-request set-header X-Client-IP %[src]
  redirect scheme https if ! { ssl_fc }
  server broadcast1 broadcast.lxd:9001 check ssl verify none