Please help me debug my generation of self-signed certificate for HA Proxy

Hello :slight_smile:

I will post my private key in its entirety because it is an example for development and debugging purposes.

This is the process by which I have created my PEM file:

sudo openssl genrsa -out example.dev.key 1024
sudo openssl req -new -key example.dev.key -out example.dev.csr
sudo openssl x509 -req -days 365 -in example.dev.csr -signkey example.dev.key -out example.dev.crt
sudo cat example.dev.crt example.dev.key | sudo tee example.dev.pem

This is a self-signed certificate. The PEM file looks like this:

-----BEGIN CERTIFICATE-----
MIICcjCCAdsCFAFD5rYw03KeoC3z95/Ahl2O1x38MA0GCSqGSIb3DQEBCwUAMHgx
CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRAwDgYDVQQHDAdGcmVt
b250MR4wHAYDVQQKDBVFdmVyZXggQ29tbXVuaWNhdGlvbnMxDDAKBgNVBAsMA2Rl
djEUMBIGA1UEAwwLZGV2ZWxvcG1lbnQwHhcNMjAxMjA5MTkwNTAyWhcNMjExMjA5
MTkwNTAyWjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEQMA4G
A1UEBwwHRnJlbW9udDEeMBwGA1UECgwVRXZlcmV4IENvbW11bmljYXRpb25zMQww
CgYDVQQLDANkZXYxFDASBgNVBAMMC2RldmVsb3BtZW50MIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQC8VVayel+HPW7xzmiy4SM/+JlkdUrcy9x8dR4ChxJ4ic+6
FgmsfDu+IE31GfzGBOnPsT+eVGI+0oX4mJpM0axnwdI7U25CrVSOe7pvTaNPlmWc
ptVb/DZQU+JjSna1fUuGU+f+Ile5U6YAuBjWDzfvizF9viGc95pIcpjftQYxTwID
AQABMA0GCSqGSIb3DQEBCwUAA4GBAKp3won6y2Y712spVbxjklzSgYRQCi8aBFZd
Nv3B5YvPg+MXIKCvj9fDdAwqQU1eBj5arF9bL2NixAdT3P+77db3FSPeje5CRd57
tHhRzFb0GSjiW304VI+v/ptfb95jA5CwvAF9uMvNHrTVT8Aln3pldpitvtP5LtpM
qa0iD2xG
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQC8VVayel+HPW7xzmiy4SM/+JlkdUrcy9x8dR4ChxJ4ic+6Fgms
fDu+IE31GfzGBOnPsT+eVGI+0oX4mJpM0axnwdI7U25CrVSOe7pvTaNPlmWcptVb
/DZQU+JjSna1fUuGU+f+Ile5U6YAuBjWDzfvizF9viGc95pIcpjftQYxTwIDAQAB
AoGAVJQes1ixvhKg2IdSDcN+CSSj/rGORUpoYpxWNdxjNy7s0y1CeuvwCJqJaCGb
m3JpbpSzdW+AD6aL8/DUmtsvCUQEg4g49K8j/z942HqatZS3Zuucf7SHzWlvze+N
JDrQabnq53+zAvfqf8+8fhbuRxoanl120kdVcIutPgN38cECQQDsnBpKNRGc6jA8
+lh4KciqQ+32gY7Z+dsSW4i1vufLnTkbS1rO2DL0ruuZzjnOT4FuE7SU4T1N4Qni
3PRNG4PjAkEAy8RuuGWuzULJ7mE/F9SKnYcaugoVNsSMNTwObTytIQtvb66l4M06
Jp/BvLJy5Atys/WzhQ6xXuxR9zmS44QQpQJBAOooirQJ1QZvlZGjR86Tu20VkPi1
uwPpi26de6wx4//T9uIWLyYpPDR+r9clCnwsnrCre7kjN6JNJZWIiZWNt3UCQQCo
fYoMIdBz2+k7mt/f5Zik/2VjNhkqi0Vgc4N+YjDKZTlFAQYap7iQ3YMGdAw6cxjq
o51Ixch2tDRmmA3U4YwdAkBY19AJj4ZwcyfjDs9z7gy4MQcJp+YVNcuTLEd6z5HK
5ECCSy5S0UPwwxleUPUIv/nNrAchTUt5UtlgQuO7arPX
-----END RSA PRIVATE KEY-----

Ok now that I have this, I validated it as follows. ALL KEYS HAVE R/W PERMISSIONS FOR ALL USERS:

openssl x509 –noout –modulus –in example.dev.crt | openssl md5

openssl rsa –noout –modulus –in example.dev.key | openssl md5

openssl req -noout -modulus -in example.dev.csr | openssl md5

I am on Ubuntu 20.04 I installed the key in /etc/ssl and /etc/haproxy:

$ cd /etc/ssl
$ ln -s example.dev.crt `openssl x509 -hash -noout -in example.dev.crt`.0

ajorona@ajorona-box/etc/haproxy$ ls -l
total 12
drwxr-xr-x 2 root root 4096 Dec  8 17:55 errors
-rw-r--r-- 1 root root 1795 Dec  9 12:28 example.dev.pem

Now my haproxy.cfg file has the following lines:

bind *:443 ssl crt /etc/haproxy/example.dev.pem
redirect scheme https if !{ ssl_fc }

I validate my haproxy.cfg:

ajorona@ajorona-box:~/server haproxy -c -f haproxy.cfg [ALERT] 343/123930 (114320) : parsing [haproxy.cfg:29] : 'bind *:443' : unable to load SSL certificate from PEM file '/etc/haproxy/example.dev.pem'. [ALERT] 343/123930 (114320) : Error(s) found in configuration file : haproxy.cfg [ALERT] 343/123930 (114320) : Fatal errors found in configuration. ajorona@ajorona-box:~/server sudo haproxy -c -f haproxy.cfg
[ALERT] 343/123933 (114444) : parsing [haproxy.cfg:29] : ‘bind *:443’ : unable to load SSL certificate from PEM file ‘/etc/haproxy/example.dev.pem’.
[ALERT] 343/123933 (114444) : Error(s) found in configuration file : haproxy.cfg
[ALERT] 343/123933 (114444) : Fatal errors found in configuration.

I’ve spent a full day on this, I can’t really figure out why this is happening…