Unable to load SSL certificate from PEM file

Hello,

I’ve been playing around with HAProxy and trying to get familiar with it. I have a very simple website that’s hosted in my test environment and I’m trying to configure TLS. I have a test CA and I created a test certificate for the website.

I watched this video that explains how to configure SSL termination. Here’s the relevant HAProxy config section:

frontend web
        bind *:80
        bind *:443 ssl crt /etc/haproxy/certs/test.pem
        http-request redirect scheme https unless { ssl_fc }
        default_backend web_servers

However, when I try to start HAProxy, it just fails with the following error:

[ALERT] 122/133953 (104625) : parsing [/etc/haproxy/haproxy.cfg:38] : 'bind *:443' : unable to load SSL certificate from PEM file '/etc/haproxy/certs/test.pem'.
[ALERT] 122/133953 (104625) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 122/133953 (104625) : Fatal errors found in configuration.

Here’s a truncated version of the “test.pem” file:

-----BEGIN CERTIFICATE-----
MIID6jCCAtKgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBkjELMAkGA1UEBhMCUlMx
...
phVmAYNptCANXXZdYZ5yy/Y8pakwughid4uVfuvDQlw7UpAwJl2MXSYFYRY7bA==
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDYZtapaG2jPlgA
...
QAQqKv5188rXR5EARoZ2e2Uy
-----END PRIVATE KEY-----

Just want to clarify that I tried numerous different concatenation combinations in this file (key → crt → ca, key → crt, crt → key, etc…), but according to the documentation for the “crt” option, the order is not important.

Speaking of documentation, the “crt” option doesn’t mention if HAProxy checks for specific options in the certificate (key usage, extended key usage, etc…), so I’m not sure if that’s important. Although, I did use discourse.haproxy.org certificate as a reference.
I also tried adding the ca-ignore-err all and crt-ignore-err all options, but there was no difference. Increasing the log verbosity level to “debug” does not yield any additional information either.

I went through a few similar topics here and other places, but none seem to provide a definitive answer on what’s going on. Most of the time, it was just user error with incorrectly naming the file, incorrect formatting or ordering of the key and certificate (although that should not matter). Might be the same issue here, but I’m just not seeing it…

I’d appreciate if anyone could make any suggestions on what might be causing this, I’m out of ideas.

Thanks,
Igor

Ok, finally figured it out. The problem was with the “keyUsage” options that were used while generating the certificate. Specifically, it was the basicConstraints=CA:FALSE option. Once again, the order of the key and certificate is not relevant in the PEM file and it is not required to include the certificate chain.

Didn’t find anything in the documentation that mentions anything about this and the error log was not very meaningful in this case. But other than that, it’s working great now, this is a nice piece of open source software.