Renewed SSL Certificate


#1

I’ve inherited a Linux (RHEL) server running HAProxy, and the SSL cert for the sites it provides SSL termination for has expired. I’ve been issued a new cert and have it in a PEM file along with the certifying chain.

After digging around the innarwebz, I determined I needed to update haproxy.cfg to bind port 443 to the new cert. Running find produced 6 hits in directories that are pretty obviously date-time references. Looking in their containing directory, there’s a ‘current’ symbolic link to the most recent of the directories. That seemed pretty obvious, so I copied the PEM file to that directory and edited the port 443 line to:

bind :443 ssl crt /opt/ags/services/agsinternaltools/tools/AGSJenkinsMasterLB/2015_05_06_21.26.37/config/new-credential.pem

…and rebooted the server.

But when I hit the site in a browser, it still reports the cert is outdated.

My first guess is that I’m not modfying the right instance of haproxy.cfg.

How do I tell which config file HAProxy is reading?

Is there another step or steps to take that I’m missing?


#2

Check the ps output, the config file is specified with the -f argument:

sudo ps x | grep haproxy