Hello,
I’ve been playing around with HAProxy and trying to get familiar with it. I have a very simple website that’s hosted in my test environment and I’m trying to configure TLS. I have a test CA and I created a test certificate for the website.
I watched this video that explains how to configure SSL termination. Here’s the relevant HAProxy config section:
frontend web
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/test.pem
http-request redirect scheme https unless { ssl_fc }
default_backend web_servers
However, when I try to start HAProxy, it just fails with the following error:
[ALERT] 122/133953 (104625) : parsing [/etc/haproxy/haproxy.cfg:38] : 'bind *:443' : unable to load SSL certificate from PEM file '/etc/haproxy/certs/test.pem'.
[ALERT] 122/133953 (104625) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 122/133953 (104625) : Fatal errors found in configuration.
Here’s a truncated version of the “test.pem” file:
-----BEGIN CERTIFICATE-----
MIID6jCCAtKgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBkjELMAkGA1UEBhMCUlMx
...
phVmAYNptCANXXZdYZ5yy/Y8pakwughid4uVfuvDQlw7UpAwJl2MXSYFYRY7bA==
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDYZtapaG2jPlgA
...
QAQqKv5188rXR5EARoZ2e2Uy
-----END PRIVATE KEY-----
Just want to clarify that I tried numerous different concatenation combinations in this file (key → crt → ca, key → crt, crt → key, etc…), but according to the documentation for the “crt” option, the order is not important.
Speaking of documentation, the “crt” option doesn’t mention if HAProxy checks for specific options in the certificate (key usage, extended key usage, etc…), so I’m not sure if that’s important. Although, I did use discourse.haproxy.org certificate as a reference.
I also tried adding the ca-ignore-err all
and crt-ignore-err all
options, but there was no difference. Increasing the log verbosity level to “debug” does not yield any additional information either.
I went through a few similar topics here and other places, but none seem to provide a definitive answer on what’s going on. Most of the time, it was just user error with incorrectly naming the file, incorrect formatting or ordering of the key and certificate (although that should not matter). Might be the same issue here, but I’m just not seeing it…
I’d appreciate if anyone could make any suggestions on what might be causing this, I’m out of ideas.
Thanks,
Igor