Zero-downtime TLS: Automating HAProxy certificate management with ACME

This presentation examines automated TLS certificate management through the ACME protocol and HAProxy's native implementation. The CA/Browser Forum's April 2025 decision to reduce maximum certificate validity from 398 days to 47 days makes manual renewal impractical, driving the need for full automation.

What you'll learn:

• Evolution from manual processes through third-party ACME clients (CertBot, lego, acme.sh) to HAProxy 3.2's native ACME capabilities.
• HTTP-01 challenge support and integration with the Data Plane API 3.2.
• Ring buffer system enabling certificate updates without disk access during runtime.
• Single-instance deployments and cluster management through HAProxy Fusion, with roadmap items including DNS-01 challenge support.