HAProxy community

Error : Unable to load certificate chain

I am trying to configure a backend with ssl, but it is failing with Unable to load certificate chain error.

This is a combined cert in the below format -

<PrivateKey>
<Cert>
<Cert>
<Cert>
<Cert>

When I try to reload with this config, it fails.

It works if I flip the format to -

<Cert>
<Cert>
<Cert>
<Cert>
<PrivateKey>

currently on HAproxy 2.1.3. When I add the cert in this format and reload the process, it works, but the cert format automatically flips back to -

<PrivateKey>
<Cert>
<Cert>
<Cert>
<Cert>

and the next reload will not work.

The same cert works in HAproxy 2.0.8 without any of the above problems.

I tested this 2.1.4 as well, the below format doesn’t work.

<PrivateKey>
<Cert>
<Cert>
<Cert>
<Cert>

The below works and stays the same even after the reload -

<Cert>
<Cert>
<Cert>
<Cert>
<PrivateKey>

My bad I’m repeating the format again and again, just wanted to be clear.

Can you guys shed some light on why the first format doesn’t work?

Anyone?

The private key belongs to the end, however haproxy won’t ever write or modify certificate files.

So something is interfering in your reload process, modifying your certificate, but this has nothing todo with haproxy. I suggest you check your reload scripts (or unit files, if systemd is used).

@lukastribus thanks for the response. So should I always have the private key at the bottom? The same cert works in version 2.0.8.

Did something change in the newer versions?

Also have some backends with certs in below format, the work fine.

pkey
cert
cert
cert.

The problem occurs when we have four certs and a key at the top.

Why would you have four certificates in this file, I don’t understand the use-case. Do you have that many intermediate certificates you need to send to the client?

@lukastribus, no, I’m good. The cert is an an incorrect one. I am wondering why is it working in v2.0.8. Just curious !

I don’t know why it works in v2.0.8. To understand which exact change caused the difference in behavior, I would actually have to reproduce it and then bisect it to the change that caused the change in behavior, which is something that can be done if the behavior would actually be broken in the new release, but that doesn’t seem to be the case.