HAProxy SSL Termination


#1

I am having a problem getting my .pem certificate working in my HAProxy configuration. I have been given a .pfx GeoTrust wildcard certificate and 2 other certificates titled IntermediateCA.cer, and ssl_certificate.cer.

After converting these to .pem and restarting the haproxy service I get the error:

unable to load SSL private key from PEM file ‘./cert.pem’

I have verified that the .pem certificate is in the /etc/haproxy folder and that in the /etc/haproxy/haproxy.cfg file I have the correct file location to the certificate. The configuration looks like this bind 10.0.0.50:443 ssl crt ./cert.pem

If I open the .pem certificate with nano I can see that it starts with -----BEGIN PRIVATE KEY------ -----END PRIVATE KEY----- and then there are 3 sections that says -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----

My goal for this is to finish setting up SSL Termination on the server so that I can have session load balancing for my VMware Horizon environment. The .pfx certificate works on a horizon connection server if I use haproxy mode tcp but mode http is not working.

Let me know if you need any further information.


#2

Private key comes after the certificate, not before.


#3

I tried putting it after and it still didn’t work. I looked at this: https://serverfault.com/questions/811192/comodo-ssl-certificates-in-haproxy-on-centos7

I tried to turn my .pfx into a .key and then decrypting the .key to a file called rsa.key. I then got -----BEGIN RSA PRIVATE KEY-----

I only have an IntermediaCA.cer and ssl_certificate.cer so I did cat ssl_certificate.cer rsa.key > key.pem
and then tried that with the Private key before and after and that did not work.

I must be missing something because I am still getting a message that says unable to load private ssl key from PEM file.


#4

I went through these steps https://serversforhackers.com/c/using-ssl-certificates-with-haproxy and made a sample .pem file and it is working. So it is definitely something with my .pem file that I made from the GeoTrust certs.


#5

Getting closer. This helped a lot https://www.markbrilman.nl/2011/08/howto-convert-a-pfx-to-a-seperate-key-crt-file/

1.) I took my .pfx from GeoTrust and used the command to get an encrypted private key.

       openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]

2.) Then I took my .pfx and extracted a certificate with this command

       openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]

3.) Then I decrypted the private key from step one with this command

       openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key]

4.) Then I brought them together in a PEM file with this command

       sudo cat certificate.crt keyfile-decrypted.key | sudo tee /etc/haproxy/cert.pem

5.) Then I changed the configuration to

bind 10.0.0.5:443 ssl crt /etc/haproxy/cert.pem

6.) Then I restarted the haproxy service and it now works.

I am not finished because now when I reach my FQDN from google chrome I get a 502 bad gateway The server returned an invalid or incomplete response error. I am going to check my configuration again.


#6

This issue has been fixed. I was getting the 502 error because there needs to be an ssl connection between haproxy and the web server I have in the background. I needed to add the command check ssl verify none to my servers list to fix this. My config now looks like this for the backend

backend https
mode http
balance source
server S1 10.0.0.5:443 id 1 weight 1 check ssl verify none check port 443 inter 2000 rise 2 fall 5
server S2 10.0.0.6:443 id 1 weight 1 check ssl verify none check port 443 inter 2000 rise 2 fall 5