Haproxy always prints "unable to load SSL private key from PEM file"


#1

Hi,

I have been trying to deploy a SSL/SNI configuration with HAProxy 1.5 (1.5.8-3+deb8u2 to be specific) and although it does work (I can start, stop and restart the service) the configuration check always reports the following:

$ /usr/sbin/haproxy -c -f /etc/haproxy/haproxy.cfg
[ALERT] 179/141417 (14223) : parsing [/etc/haproxy/haproxy.cfg:68] : ‘bind xxx.xxx.xxx.xxx:443’ : unable to load SSL private key from PEM file ‘/etc/haproxy/ssl/xxx.xxx.xxx.xxx/’.
[ALERT] 179/141417 (14223) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 179/141417 (14223) : Proxy ‘xxx.xxx.xxx.xxx_https’: no SSL certificate specified for bind ‘xxx.xxx.xxx.xxx:443’ at [/etc/haproxy/haproxy.cfg:68] (use ‘crt’).
[ALERT] 179/141417 (14223) : Fatal errors found in configuration.

I cannot for the life of me find out why this error is generated.

I have tried multiple ways of sorting the order of the certificates and keys. Some of them are definitely not correct as HAProxy wont start but the current order (cert -> key -> intermediate) works.

The weird thing is that this configuration “works”, its just that the error wont go away.

Can anybody give me any insight as to why this is.

Regards,

sirhopcount


#2

Share the complete configuration. Are you starting haproxy as root and checking the configuration as root user as well? Are you using chroot and privilege downgrade?


#3

I had this problem and my solution was to have the the cert, the key and the intermediate cert in the .pem file, in that order.
Another thing that threw me at first, was when i concatenated the cert, key and intermediate cert there was a line break missing.

You might not need to have the intermediate, but it was needed for my setup. Due to the cert authority I am using.

So the file had this line

-----END CERTIFICATE----------BEGIN RSA PRIVATE KEY-----

To make it work it needed to be in two different lines, like this

-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----


#4

Yes, an invalid/corrupt pem file will lead to this message as well.