Use the raw directive to protect the shell code.

templates/letsencrypt-haproxy-refresh.sh.j2

@@ -4,11 +4,14 @@
 # renewal. It'll concatenate the needed certificates for the PEM file that
 # HAProxy reads.
 
+{% raw %}
 die() { echo "$*" 1>&2 ; exit 1; }
+{% endraw %}
 
 H_NAME="{{ letsencrypt_acme_sh_certs_data_prefix }}"
 LE_CERTS_DIR=/var/lib/acme/live/$H_NAME
 
+{% raw %}
 LE_ENV_FILE=/etc/default/acme_sh_request_env
 if [ -f "$LE_ENV_FILE" ] ; then
     . "$LE_ENV_FILE"
@@ -52,3 +55,4 @@ elif [ "$ACTION" == "restart" ]; then
     # script.
     $container_cli restart "$haproxy_container_name"
 fi
+{% endraw %}