HAProxy not starting with ssl configuration

Hi,

I’m trying to set up an HTTPS/SSL frontend but HAProxy won’t start whenever I add in the ‘bind *:443 ssl crt /opt/certs/self.pem’ line. I’m not sure if there is something wrong with my config or if HAProxy doesn’t like the certificate. In saying that, I can’t see any certificate related errors in the log.

Version

HA-Proxy version 1.8.4-1deb90d 2018/02/08
Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>

Config

global
   log /dev/log local0
   log /dev/log local1 notice
   chroot /var/lib/haproxy
   stats timeout 30s
   user haproxy
   group haproxy
   daemon

defaults
   log global
   mode http
   option httplog
   option dontlognull
   timeout connect 5000
   timeout client 50000
   timeout server 50000

frontend http_front
        mode http
        bind *:80
        default_backend http_back

backend http_back
        balance roundrobin
        option httpchk GET /index.html
        http-check expect string WEB
        server web1 web1.domain.com:80 check
        server web2 web2.domain.com:80 check

listen stats
        bind :1234
        mode http
        stats enable
        stats hide-version
        stats uri /

frontend ssl_front
        bind *:443 ssl crt /opt/certs/self.pem
        default_backend ssl_back

backend ssl_back
        balance roundrobin
        server web1 web1.domain.com:443 check
        server web2 web2.domain.com:443 check

Certificate

I used known working certs and then tested with creating my own self signed one, but always getting the same result. Below is how I created the PEM file.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /opt/certs/self.key -out /opt/certs/self.crt
cat self.crt self.key > self.pem

Logs

The logs aren’t very helpful.

Mar 31 20:01:23 centos4 haproxy: [ALERT] 089/200123 (39723) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
Mar 31 20:01:23 centos4 haproxy: [ALERT] 089/200123 (39723) : Fatal errors found in configuration.
Mar 31 20:01:23 centos4 haproxy: Errors found in configuration file, check it with 'haproxy check'.
Mar 31 20:01:23 centos4 systemd: haproxy.service: control process exited, code=exited status=1

haproxy -dV -f haproxy.cfg
[ALERT] 089/200256 (39900) : Error(s) found in configuration file : haproxy.cfg
[ALERT] 089/200256 (39900) : Fatal errors found in configuration.

Thanks for any help.

Please share:

haproxy -vv
haproxy -c -f haproxy.cfg

Sure, see below… I must have missed this before but I do see the ‘unknown keyword ‘ssl’ error’.

haproxy -vv

HA-Proxy version 1.8.4-1deb90d 2018/02/08
Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label
  OPTIONS =

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built without PCRE or PCRE2 support (using libc's regex instead)
Built without compression support (neither USE_ZLIB nor USE_SLZ are set).
Compression algorithms supported : identity("identity")
Built with network namespace support.

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
        [SPOE] spoe
        [COMP] compression
        [TRACE] trace

haproxy -c -f haproxy.cfg

[ALERT] 090/011332 (8541) : parsing [haproxy.cfg:45] : 'bind *:443' unknown keyword 'ssl'. Registered keywords :
    [STAT] level <arg>
    [STAT] expose-fd <arg>
    [STAT] severity-output <arg>
    [ TCP] defer-accept
    [ TCP] interface <arg>
    [ TCP] mss <arg>
    [ TCP] tcp-ut <arg>
    [ TCP] tfo
    [ TCP] transparent
    [ TCP] v4v6
    [ TCP] v6only
    [ ALL] accept-netscaler-cip <arg>
    [ ALL] accept-proxy
    [ ALL] backlog <arg>
    [ ALL] id <arg>
    [ ALL] maxconn <arg>
    [ ALL] name <arg>
    [ ALL] nice <arg>
    [ ALL] process <arg>
    [UNIX] gid <arg>
    [UNIX] group <arg>
    [UNIX] mode <arg>
    [UNIX] uid <arg>
    [UNIX] user <arg>
[ALERT] 090/011332 (8541) : Error(s) found in configuration file : haproxy.cfg
[ALERT] 090/011332 (8541) : Fatal errors found in configuration.

Ok, haproxy has been compiled without any additional libraries, like OpenSSL, PCRE or zlib. That’s why none of those features are available.

For OpenSSL (SSL) add USE_OPENSSL=1 to your make command. PCRE (USE_PCRE=1) and zlib for compression (USE_ZLIB=1) are other libraries that you may want to use.

Unless you see some OpenSSL informations in haproxy -vv, haproxy has not been compiled with SSL support and therefor isn’t able to use it.

lukas@dev:~/haproxy$ ./haproxy -vv | grep OpenSSL
Built with OpenSSL version : OpenSSL 1.1.0h  27 Mar 2018
Running on OpenSSL version : OpenSSL 1.1.0h  27 Mar 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
lukas@dev:~/haproxy$

Hi,

I compiled HAProxy with OpenSSL support :slight_smile:
[root@haproxy haproxy]# haproxy -vv | grep OpenSSL
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
[root@haproxy haproxy]#

But the error is still around …

Any hint ?

regards, Roberto

Is which haproxy pointing to the same executable that your startup script uses?

1 Like

Hi,

I just delete and recreate the symbolic link for the binary to allow to run HAProxy commands as a normal user.

sudo ln -s /usr/local/sbin/haproxy /usr/sbin/haproxy

now it works as a charme !

regards, Roberto