We recently switched to haproxy 2.2.2 and we encountered a problem with the flexibility of ssl-load-extra-files.
The way we handle certs is as follows:
Public key name is :
Private key name is :
Which resulted in
No Private Key found in '/etc/pki/tls/certs/fqdn.pem' or /etc/pki/tls/certs/fqdn.pem.key
I think it would be interesting if that directive was a little smarter in the way it deals with file extensions and also tried to strip the extention from the filename to see if the
.key file exists with the same name.
Not sure how that would affect performance for HaProxy startup, but for the moment, we either need to completely revamp the way we deploy certs, or create a symlink for the key file, to
.pem.key in the same directory if we want to use this feature.
SSL-LOAD-EXTRA-FILES is an excellent feature we’ve been waiting for as it simplifies cert deployment, but in its current form It’s not really usable for us.
I’d be interested to have feedback from other users too, to see if the way we handle certs naming is common or not.