HAProxy community

Trying to install SSL Cert for use with HAPROXY. No luck


#1

Hello,

I am trying to configure HAPROXY with a SSL Cert for our load balanced web servers. However whenever I try to restart my service, I keep getting a service failure. If I comment out the lines for the cert stuff and just do a simple http setup it works fine. Below is my config. All suggestions are welcome. Thank you for the help.

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend http_front
bind 10.1.1.33:80
stats uri /haproxy?stats
default_backend http_nextcloud

frontend www-https-public THESE DO NOT WORK
bind 192.168.1.1:443 ssl crt /etc/ssl/private/star.certhere.com.pem
mode https
reqadd X-Forwarded-Proto:\ https
default_backend http_nextcloud

frontend www-https-private THESE DO NOT WORK
bind 10.1.1.33:443 ssl crt /etc/ssl/private/star.certhere.com.pem
mode https
reqadd X-Forwarded-Proto:\ https
default_backend http_nextcloud

#Define Host Header values
acl host_nextcloud hdr(host) -i testbox.box.com

figure out which backed to use

use_backend http_nextcloud if host_nextcloud

backend http_nextcloud
balance roundrobin
cookie JSESSIONID prefix nocache
redirect scheme https if !{ ssl_fc }
server webws1 10.1.1.217:80 check
server webws2 10.1.1.224:80 check


#2

Read the error message that haproxy throws when starting. If you cannot read it, because its hidden by your startup scripts, then stop haproxy, enable ssl and try to start it manually (haproxy -db -f <path/to/config>).


#3

Thanks for that command. It’s wonderful!

The error message I am getting is that my cert file ‘/etc/ssl/private/star.certname.com.pem’ does not exist.

[ALERT] 352/164744 (8112) : parsing [/etc/haproxy//haproxy.cfg:52] : ‘bind 10.1.1.33:443’ : unable to load SSL certificate file ‘/etc/ssl/private/star.certname.com.pem’ file does not exist.
[ALERT] 352/164744 (8112) : Error(s) found in configuration file : /etc/haproxy//haproxy.cfg
[ALERT] 352/164744 (8112) : Fatal errors found in configuration.

however when I look at that path, I can see that the file is there. Could it be that it is not recognizing it as a cert file?

itadmin@testhqloadbal:/etc/haproxy$ sudo ls /etc/ssl/private
star.certname.com.pem


#4

How does the file look like? Can you share the comment lines beginning with “–”.

Like grep "---" /etc/ssl/private/star.certname.com.pem


#5

-----BEGIN RSA PRIVATE KEY-----
lahsdfhasl;f blah blah balh
-----END RSA PRIVATE KEY-----


#6

Well the is no certificate in there. Only a private key.

You need private key, intermediate and actual certificate all in that file.


#7

Do I just copy the contents of each individual file to a single file? Do they need to be in any certain order?


#8

Certificate, intermediate certificate, private key all in one file and in that order, so that it looks like:

# grep \- cert.pem
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
#

#9

Thank you for your help. This resolved my issue.


#10

Question. While my service is now starting and working, I’m still getting the error that the cert file cannot be found. One of my certs had multiple entries.

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----


#11

The private key needs to correspond to the certificates. If what’s in that file doesn’t make any sense, haproxy will complain.