diff --git a/dd-ctl b/dd-ctl
index 347761f..f4b45a0 100755
--- a/dd-ctl
+++ b/dd-ctl
@@ -216,7 +216,7 @@ build_compose(){
# Build compose ymls
docker-compose \
- "${MODSECURITY}" "${HAPROXY_WAF}" \
+ $MODSECURITY $HAPROXY_WAF \
\
-f dd-sso/docker-compose-parts/$BEHIND \
-f dd-sso/docker-compose-parts/api.yml \
diff --git a/dd-sso/docker/haproxy/Dockerfile b/dd-sso/docker/haproxy/Dockerfile
index 0f852f1..e8fdf86 100644
--- a/dd-sso/docker/haproxy/Dockerfile
+++ b/dd-sso/docker/haproxy/Dockerfile
@@ -21,7 +21,13 @@ ARG HAPROXY_IMG
FROM $HAPROXY_IMG as production
USER root
-RUN apk add openssl py-pip
+RUN apk add openssl certbot py-pip
+RUN pip install certbot-plugin-gandi
+
+COPY letsencrypt-hook-deploy-concatenante.sh /usr/local/sbin/
+COPY letsencrypt.sh /usr/local/sbin/
+COPY letsencrypt-renew-cron.sh /etc/periodic/daily/letsencrypt-renew
+COPY auto-generate-certs.sh /usr/local/sbin/
COPY docker-entrypoint.sh /usr/local/bin/
RUN ln -s /usr/local/bin/docker-entrypoint.sh /
diff --git a/dd-sso/docker/haproxy/auto-generate-certs.sh b/dd-sso/docker/haproxy/auto-generate-certs.sh
new file mode 100755
index 0000000..5d9a10a
--- /dev/null
+++ b/dd-sso/docker/haproxy/auto-generate-certs.sh
@@ -0,0 +1,50 @@
+#
+# Copyright © 2021,2022 IsardVDI S.L.
+#
+# This file is part of DD
+#
+# DD is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or (at your
+# option) any later version.
+#
+# DD is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with DD. If not, see .
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+cd /certs
+
+# Self signed cert generic data
+C=CA
+L=Barcelona
+O=localdomain
+CN_CA=$O
+CN_HOST=*.$O
+OU=$O
+
+echo '#### Creating 2048-bit RSA key:'
+openssl genrsa -out ca-key.pem 2048
+
+echo '#### Using the key to create a self-signed certificate to your CA:'
+openssl req -new -x509 -days 9999 -key ca-key.pem -out ca-cert.pem -sha256 \
+ -subj "/C=$C/L=$L/O=$O/CN=$CN_CA"
+
+echo '#### Creating server certificate:'
+openssl genrsa -out server-key.pem 2048
+
+echo '#### Creating a certificate signing request for the server:'
+openssl req -new -key server-key.pem -sha256 -out server-key.csr \
+ -subj "/CN=$CN_HOST"
+
+echo '#### Creating server certificate:'
+RND=$(( ( RANDOM % 1000 ) + 1 ))
+openssl x509 -req -days 9999 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem \
+ -set_serial $RND -sha256 -out server-cert.pem
+
+echo '#### Concatenate certs for haprox'
+cat server-cert.pem server-key.pem > chain.pem
diff --git a/dd-sso/docker/haproxy/docker-entrypoint.sh b/dd-sso/docker/haproxy/docker-entrypoint.sh
index 2a83c0d..ade9bce 100644
--- a/dd-sso/docker/haproxy/docker-entrypoint.sh
+++ b/dd-sso/docker/haproxy/docker-entrypoint.sh
@@ -23,6 +23,12 @@ set -e
ln -sf /usr/local/etc/haproxy/${HAPROXY_CFG:-haproxy.normal.cfg} /usr/local/etc/haproxy/haproxy.cfg
+LETSENCRYPT_DOMAIN="$DOMAIN" letsencrypt.sh
+
+if [ ! -e "/certs/chain.pem" ]; then
+ auto-generate-certs.sh
+fi
+
# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
set -- haproxy "$@"
diff --git a/dd-sso/docker/haproxy/haproxy.proxy-protocol.conf b/dd-sso/docker/haproxy/haproxy.proxy-protocol.conf
index 7892b79..e433219 100644
--- a/dd-sso/docker/haproxy/haproxy.proxy-protocol.conf
+++ b/dd-sso/docker/haproxy/haproxy.proxy-protocol.conf
@@ -50,7 +50,7 @@ frontend website
mode http
bind :80
bind :8888 accept-proxy
- #redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }
+ redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }
http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt }
bind :443 ssl crt /certs/chain.pem
diff --git a/dd-sso/docker/haproxy/letsencrypt-hook-deploy-concatenante.sh b/dd-sso/docker/haproxy/letsencrypt-hook-deploy-concatenante.sh
new file mode 100755
index 0000000..3b3fc34
--- /dev/null
+++ b/dd-sso/docker/haproxy/letsencrypt-hook-deploy-concatenante.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Copyright © 2021,2022 IsardVDI S.L.
+#
+# This file is part of DD
+#
+# DD is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or (at your
+# option) any later version.
+#
+# DD is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with DD. If not, see .
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+cat $RENEWED_LINEAGE/fullchain.pem $RENEWED_LINEAGE/privkey.pem > /certs/chain.pem
+
+kill -SIGUSR2 1
diff --git a/dd-sso/docker/haproxy/letsencrypt-renew-cron.sh b/dd-sso/docker/haproxy/letsencrypt-renew-cron.sh
new file mode 100755
index 0000000..486d64a
--- /dev/null
+++ b/dd-sso/docker/haproxy/letsencrypt-renew-cron.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# Copyright © 2021,2022 IsardVDI S.L.
+#
+# This file is part of DD
+#
+# DD is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or (at your
+# option) any later version.
+#
+# DD is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with DD. If not, see .
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+certbot renew --http-01-port 8080 --cert-name sso.$LETSENCRYPT_DOMAIN
diff --git a/dd-sso/docker/haproxy/letsencrypt.sh b/dd-sso/docker/haproxy/letsencrypt.sh
new file mode 100755
index 0000000..a571eff
--- /dev/null
+++ b/dd-sso/docker/haproxy/letsencrypt.sh
@@ -0,0 +1,50 @@
+#!/bin/sh
+#
+# Copyright © 2021,2022 IsardVDI S.L.
+#
+# This file is part of DD
+#
+# DD is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or (at your
+# option) any later version.
+#
+# DD is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with DD. If not, see .
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+if [ ! -L /etc/letsencrypt/renewal-hooks/deploy/letsencrypt-hook-deploy-concatenante.sh ]
+then
+ mkdir -p /etc/letsencrypt/renewal-hooks/deploy/
+ ln -s /usr/local/sbin/letsencrypt-hook-deploy-concatenante.sh /etc/letsencrypt/renewal-hooks/deploy/
+fi
+
+if [ -n "$LETSENCRYPT_DOMAIN" -a -n "$LETSENCRYPT_EMAIL" ]
+then
+ LETSENCRYPT_DOMAIN="$LETSENCRYPT_DOMAIN" crond
+ if [ "$LETSENCRYPT_DOMAIN_ROOT" == "true" ]
+ then
+ option_root_domain="-d $LETSENCRYPT_DOMAIN"
+ fi
+ if [ ! -f /certs/chain.pem ]
+ then
+ if certbot certonly --standalone -m "$LETSENCRYPT_EMAIL" -n --agree-tos \
+ -d "sso.$LETSENCRYPT_DOMAIN" \
+ -d "api.$LETSENCRYPT_DOMAIN" \
+ -d "admin.$LETSENCRYPT_DOMAIN" \
+ -d "moodle.$LETSENCRYPT_DOMAIN" \
+ -d "nextcloud.$LETSENCRYPT_DOMAIN" \
+ -d "wp.$LETSENCRYPT_DOMAIN" \
+ -d "oof.$LETSENCRYPT_DOMAIN" \
+ -d "pad.$LETSENCRYPT_DOMAIN" \
+ $option_root_domain
+ then
+ RENEWED_LINEAGE="/etc/letsencrypt/live/sso.$LETSENCRYPT_DOMAIN" /etc/letsencrypt/renewal-hooks/deploy/letsencrypt-hook-deploy-concatenante.sh
+ fi
+ fi
+fi
diff --git a/dd-waf/docker/modsecurity/vhosts/000-default.conf b/dd-waf/docker/modsecurity/vhosts/000-default.conf
index def4c82..9b6cb8a 100644
--- a/dd-waf/docker/modsecurity/vhosts/000-default.conf
+++ b/dd-waf/docker/modsecurity/vhosts/000-default.conf
@@ -1,5 +1,5 @@
- modsecurity On
+ modsecurity Off
modsecurity_rules_file /etc/apache2/modsecurity.d/modsec_rules.conf
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html