HAProxy unknown keyword

Hi,

I’m trying to set up an HTTPS/SSL frontend but HAProxy won’t start whenever I add in the ‘bind 443:443 tfo ssl /etc/letsencrypt/live/example.com/fullchain.pem’ line. I’m not sure if there is something wrong with my config or the installation of OpenSSL or HAProxy.

haproxy -v

    HA-Proxy version 2.3.2-d522db7 2020/11/28 - https://haproxy.org/
    Status: stable branch - will stop receiving fixes around Q1 2022.
    Known bugs: http://www.haproxy.org/bugs/bugs-2.3.2.html
    Running on: Linux 4.14.203-156.332.amzn2.x86_64 #1 SMP Fri Oct 30 19:19:33 UTC 2020 x86_64

haproxy -vv

HA-Proxy version 2.3.2-d522db7 2020/11/28 - https://haproxy.org/
Status: stable branch - will stop receiving fixes around Q1 2022.
Known bugs: http://www.haproxy.org/bugs/bugs-2.3.2.html
Running on: Linux 4.14.203-156.332.amzn2.x86_64 #1 SMP Fri Oct 30 19:19:33 UTC 2020 x86_64
Build options :
  TARGET  = linux-glibc
  CPU     = generic
  CC      = cc
  CFLAGS  = -O2 -g -Wall -Wextra -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered 
-Wno-missing-field-initializers -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
  OPTIONS = USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_TFO=1 USE_NS=1
  DEBUG   = 

Feature list : +EPOLL -KQUEUE +NETFILTER +PCRE -PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +BACKTRACE -STATIC_PCRE
 -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL -LUA +FUTEX +ACCEPT4 -CLOSEFROM +ZLIB -SLZ +CPU_AFFI
NITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=1).
Built with OpenSSL version : OpenSSL 1.1.1c  28 May 2019
Running on OpenSSL version : OpenSSL 1.1.1c FIPS  28 May 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with network namespace support.
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Built with gcc compiler version 7.3.1 20180712 (Red Hat 7.3.1-12)

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
              h2 : mode=HTTP       side=FE|BE     mux=H2
            fcgi : mode=HTTP       side=BE        mux=FCGI
       <default> : mode=HTTP       side=FE|BE     mux=H1
       <default> : mode=TCP        side=FE|BE     mux=PASS

Available services : none

Available filters :
[SPOE] spoe
[CACHE] cache
[FCGI] fcgi-app
[COMP] compression
[TRACE] trace

Config

global
    log /dev/log local0
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11

    tune.ssl.default-dh-param 2048

defaults
    log global

    mode tcp
    option dontlognull
    timeout connect 5s

    timeout client  300s
    timeout server  300s

frontend tls-in
    bind *:443 tfo ssl /etc/letsencrypt/live/example.com/fullchain.pem
    tcp-request inspect-delay 5s
    tcp-request content accept if HTTP
    use_backend web if HTTP
    default_backend vme

backend web
    server server1 127.0.0.1:444
  
backend vme
    server server1 127.0.0.1:40001

Log

[NOTICE] 006/174126 (2026) : haproxy version is 2.3.2-d522db7
[NOTICE] 006/174126 (2026) : path to executable is /sbin/haproxy
[ALERT] 006/174126 (2026) : parsing [/etc/haproxy/haproxy.cfg:31] : 'bind *:443' unknown keyword '/etc/letsencrypt/live/example.com/full
chain.pem'. Registered keywords :
    [ SSL] allow-0rtt
    [ SSL] alpn <arg>
    [ SSL] ca-file <arg>
    [ SSL] ca-verify-file <arg>
    [ SSL] ca-ignore-err <arg>
    [ SSL] ca-sign-file <arg>
    [ SSL] ca-sign-pass <arg>
    [ SSL] ciphers <arg>
    [ SSL] ciphersuites <arg>
    [ SSL] crl-file <arg>
    [ SSL] crt <arg>
    [ SSL] crt-ignore-err <arg>
    [ SSL] crt-list <arg>
    [ SSL] curves <arg>
    [ SSL] ecdhe <arg>
    [ SSL] force-sslv3
    [ SSL] force-tlsv10
    [ SSL] force-tlsv11
    [ SSL] force-tlsv12
    [ SSL] force-tlsv13
    [ SSL] generate-certificates
    [ SSL] no-ca-names
    [ SSL] no-sslv3
    [ SSL] no-tlsv10
    [ SSL] no-tlsv11
    [ SSL] no-tlsv12
    [ SSL] no-tlsv13
    [ SSL] no-tls-tickets
    [ SSL] ssl
    [ SSL] ssl-min-ver <arg>
    [ SSL] ssl-max-ver <arg>
    [ SSL] strict-sni
    [ SSL] tls-ticket-keys <arg>
    [ SSL] verify <arg>
    [ SSL] npn <arg>
    [ SSL] prefer-client-ciphers
    [STAT] level <arg>
    [STAT] expose-fd <arg>
    [STAT] severity-output <arg>
    [ ALL] accept-netscaler-cip <arg>
    [ ALL] accept-proxy
    [ ALL] backlog <arg>
    [ ALL] id <arg>
    [ ALL] maxconn <arg>
    [ ALL] name <arg>
    [ ALL] nice <arg>
    [ ALL] process <arg>
    [ ALL] proto <arg>
    [ TCP] defer-accept
    [ TCP] interface <arg>
    [ TCP] mss <arg>
    [ TCP] tcp-ut <arg>
    [ TCP] tfo
    [ TCP] transparent
    [ TCP] v4v6
    [ TCP] v6only
    [ TCP] namespace <arg>
    [UNIX] gid <arg>
    [UNIX] group <arg>
    [UNIX] mode <arg>
    [UNIX] uid <arg>
    [UNIX] user <arg>
[ALERT] 006/174126 (2026) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 006/174126 (2026) : Fatal errors found in configuration.

Really thanks for any reply!

You forget the crt keyword that you must specify before the certificate.

Wrong:

    bind *:443 tfo ssl /etc/letsencrypt/live/example.com/fullchain.pem

Right:

    bind *:443 tfo ssl crt /etc/letsencrypt/live/example.com/fullchain.pem

Thanks for your reply! It works now!!! Thanks a lot~