HAProxy not starting with ssl configuration


#1

Hi,

I’m trying to set up an HTTPS/SSL frontend but HAProxy won’t start whenever I add in the ‘bind *:443 ssl crt /opt/certs/self.pem’ line. I’m not sure if there is something wrong with my config or if HAProxy doesn’t like the certificate. In saying that, I can’t see any certificate related errors in the log.

Version

HA-Proxy version 1.8.4-1deb90d 2018/02/08
Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>

Config

global
   log /dev/log local0
   log /dev/log local1 notice
   chroot /var/lib/haproxy
   stats timeout 30s
   user haproxy
   group haproxy
   daemon

defaults
   log global
   mode http
   option httplog
   option dontlognull
   timeout connect 5000
   timeout client 50000
   timeout server 50000

frontend http_front
        mode http
        bind *:80
        default_backend http_back

backend http_back
        balance roundrobin
        option httpchk GET /index.html
        http-check expect string WEB
        server web1 web1.domain.com:80 check
        server web2 web2.domain.com:80 check

listen stats
        bind :1234
        mode http
        stats enable
        stats hide-version
        stats uri /

frontend ssl_front
        bind *:443 ssl crt /opt/certs/self.pem
        default_backend ssl_back

backend ssl_back
        balance roundrobin
        server web1 web1.domain.com:443 check
        server web2 web2.domain.com:443 check

Certificate

I used known working certs and then tested with creating my own self signed one, but always getting the same result. Below is how I created the PEM file.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /opt/certs/self.key -out /opt/certs/self.crt
cat self.crt self.key > self.pem

Logs

The logs aren’t very helpful.

Mar 31 20:01:23 centos4 haproxy: [ALERT] 089/200123 (39723) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
Mar 31 20:01:23 centos4 haproxy: [ALERT] 089/200123 (39723) : Fatal errors found in configuration.
Mar 31 20:01:23 centos4 haproxy: Errors found in configuration file, check it with 'haproxy check'.
Mar 31 20:01:23 centos4 systemd: haproxy.service: control process exited, code=exited status=1

haproxy -dV -f haproxy.cfg
[ALERT] 089/200256 (39900) : Error(s) found in configuration file : haproxy.cfg
[ALERT] 089/200256 (39900) : Fatal errors found in configuration.

Thanks for any help.


#2

Please share:

haproxy -vv
haproxy -c -f haproxy.cfg

#3

Sure, see below… I must have missed this before but I do see the ‘unknown keyword ‘ssl’ error’.

haproxy -vv

HA-Proxy version 1.8.4-1deb90d 2018/02/08
Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label
  OPTIONS =

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built without PCRE or PCRE2 support (using libc's regex instead)
Built without compression support (neither USE_ZLIB nor USE_SLZ are set).
Compression algorithms supported : identity("identity")
Built with network namespace support.

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
        [SPOE] spoe
        [COMP] compression
        [TRACE] trace

haproxy -c -f haproxy.cfg

[ALERT] 090/011332 (8541) : parsing [haproxy.cfg:45] : 'bind *:443' unknown keyword 'ssl'. Registered keywords :
    [STAT] level <arg>
    [STAT] expose-fd <arg>
    [STAT] severity-output <arg>
    [ TCP] defer-accept
    [ TCP] interface <arg>
    [ TCP] mss <arg>
    [ TCP] tcp-ut <arg>
    [ TCP] tfo
    [ TCP] transparent
    [ TCP] v4v6
    [ TCP] v6only
    [ ALL] accept-netscaler-cip <arg>
    [ ALL] accept-proxy
    [ ALL] backlog <arg>
    [ ALL] id <arg>
    [ ALL] maxconn <arg>
    [ ALL] name <arg>
    [ ALL] nice <arg>
    [ ALL] process <arg>
    [UNIX] gid <arg>
    [UNIX] group <arg>
    [UNIX] mode <arg>
    [UNIX] uid <arg>
    [UNIX] user <arg>
[ALERT] 090/011332 (8541) : Error(s) found in configuration file : haproxy.cfg
[ALERT] 090/011332 (8541) : Fatal errors found in configuration.

#4

Ok, haproxy has been compiled without any additional libraries, like OpenSSL, PCRE or zlib. That’s why none of those features are available.

For OpenSSL (SSL) add USE_OPENSSL=1 to your make command. PCRE (USE_PCRE=1) and zlib for compression (USE_ZLIB=1) are other libraries that you may want to use.

Unless you see some OpenSSL informations in haproxy -vv, haproxy has not been compiled with SSL support and therefor isn’t able to use it.

lukas@dev:~/haproxy$ ./haproxy -vv | grep OpenSSL
Built with OpenSSL version : OpenSSL 1.1.0h  27 Mar 2018
Running on OpenSSL version : OpenSSL 1.1.0h  27 Mar 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
lukas@dev:~/haproxy$