I spent all day with this issue, no luck.
I have 10 containers on my server, haproxy is sitting in one of them.
I redirected all the :80 and 443 traffic to this haproxy container, and all worked well.
All pem files are placed in the /haproxy/cert folder by cat:
cat /etc/letsencrypt/live/subdomain.domain.tld/fullchain.pem /etc/letsencrypt/live/subdomain.domain.tld/privkey.pem > /etc/haproxy/certs/subdomain.domain.tld
When my SSL certs were freshly created, everything was fine. Now one of them expired, so I tried to renew it. All went well, the pem file is in the right place. No finding from the old pem file.
If I take the new pem file, it validates as new, valid SSL cert.
But when I open my page, I can see the expired SSL next to my URL and the expired cert warning.
- replace the certificate
- stop / start / reload
- refresh apache
- reboot all servers / containers
- no old haproxy running in the background
- deleted cert, added new
- checked, no invisible .pem file anywhere in my cert folder
The old expired cert is still visible and can’t get rid of it. Even if I delete with certbot.
EVEN if I delete all cert!!!
As I said, all the other 8 containers work with the SSL, just this one, which I renewed doesn’t.
HA-Proxy version 1.8.8-1ubuntu0.10 2020/04/03
Copyright 2000-2018 Willy Tarreau email@example.com
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fdebug-prefix-map=/build/haproxy-RAYurj/haproxy-1.8.8=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_NS=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
Running on OpenSSL version : OpenSSL 1.1.1 11 Sep 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : yes
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with network namespace support.
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
I appreciate any help.