Trying to install SSL Cert for use with HAPROXY. No luck

caw001 · December 18, 2018, 7:09pm

Hello,

I am trying to configure HAPROXY with a SSL Cert for our load balanced web servers. However whenever I try to restart my service, I keep getting a service failure. If I comment out the lines for the cert stuff and just do a simple http setup it works fine. Below is my config. All suggestions are welcome. Thank you for the help.

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend http_front
bind 10.1.1.33:80
stats uri /haproxy?stats
default_backend http_nextcloud

frontend www-https-public THESE DO NOT WORK
bind 192.168.1.1:443 ssl crt /etc/ssl/private/star.certhere.com.pem
mode https
reqadd X-Forwarded-Proto:\ https
default_backend http_nextcloud

frontend www-https-private THESE DO NOT WORK
bind 10.1.1.33:443 ssl crt /etc/ssl/private/star.certhere.com.pem
mode https
reqadd X-Forwarded-Proto:\ https
default_backend http_nextcloud

#Define Host Header values
acl host_nextcloud hdr(host) -i testbox.box.com

figure out which backed to use

use_backend http_nextcloud if host_nextcloud

backend http_nextcloud
balance roundrobin
cookie JSESSIONID prefix nocache
redirect scheme https if !{ ssl_fc }
server webws1 10.1.1.217:80 check
server webws2 10.1.1.224:80 check

lukastribus · December 19, 2018, 8:57am

Read the error message that haproxy throws when starting. If you cannot read it, because its hidden by your startup scripts, then stop haproxy, enable ssl and try to start it manually (haproxy -db -f <path/to/config>).

caw001 · December 20, 2018, 12:40am

Thanks for that command. It’s wonderful!

The error message I am getting is that my cert file ‘/etc/ssl/private/star.certname.com.pem’ does not exist.

[ALERT] 352/164744 (8112) : parsing [/etc/haproxy//haproxy.cfg:52] : ‘bind 10.1.1.33:443’ : unable to load SSL certificate file ‘/etc/ssl/private/star.certname.com.pem’ file does not exist.
[ALERT] 352/164744 (8112) : Error(s) found in configuration file : /etc/haproxy//haproxy.cfg
[ALERT] 352/164744 (8112) : Fatal errors found in configuration.

however when I look at that path, I can see that the file is there. Could it be that it is not recognizing it as a cert file?

itadmin@testhqloadbal:/etc/haproxy$ sudo ls /etc/ssl/private
star.certname.com.pem

lukastribus · December 20, 2018, 6:51pm

How does the file look like? Can you share the comment lines beginning with “–”.

Like grep "---" /etc/ssl/private/star.certname.com.pem

caw001 · December 20, 2018, 10:26pm

-----BEGIN RSA PRIVATE KEY-----
lahsdfhasl;f blah blah balh
-----END RSA PRIVATE KEY-----

lukastribus · December 20, 2018, 10:50pm

Well the is no certificate in there. Only a private key.

You need private key, intermediate and actual certificate all in that file.

caw001 · December 27, 2018, 4:53pm

Do I just copy the contents of each individual file to a single file? Do they need to be in any certain order?

lukastribus · December 27, 2018, 5:05pm

Certificate, intermediate certificate, private key all in one file and in that order, so that it looks like:

# grep \- cert.pem
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
#

caw001 · January 4, 2019, 4:27pm

Thank you for your help. This resolved my issue.

caw001 · January 7, 2019, 6:02pm

Question. While my service is now starting and working, I’m still getting the error that the cert file cannot be found. One of my certs had multiple entries.

lukastribus · January 7, 2019, 9:32pm

The private key needs to correspond to the certificates. If what’s in that file doesn’t make any sense, haproxy will complain.

Topic		Replies	Views
Dovecot SSL Cert Problem Help!	4	3416	April 29, 2017
Only HTTPS 502,521 error Help!	0	854	July 3, 2018
Haproxy w/ssl 'SSL handshake failure' Help!	3	7355	February 10, 2023
Help me please , I have failed to start HAproxy Help!	2	577	July 5, 2019
Configuration ssl <NOSRV> -1/-1/-1/-1/0 503 212 - - SC-- Configuration Samples	4	1777	February 13, 2023

Trying to install SSL Cert for use with HAPROXY. No luck

figure out which backed to use

Related topics