Re: No Private Key found in '/etc/letsencrypt/live/www.mydomain.org/fullchain.pem.key

Fri, 03 Nov 2023 01:49:58 -0700 

Thanks, Shawn,

I always have my problems with the open form of the configuration file syntax 
(lua ?).
The docs say it is a keyword under "crt" which in turn belongs to the "bind" 
options.

Would it be correct to place it that way?:

frontend http-in
    bind *:80
    bind *:443 ssl crt /etc/haproxy/fullchain.pem crt ssl-skip-self-issued-ca


> Am 03.11.2023 um 03:50 schrieb Shawn Heisey <[email protected]>:
> 
> On 11/2/2023 02:35, Christoph Kukulies wrote:
>> In /etc/letsencrypt/live/www.mydomain.org I have:
>> lrwxrwxrwx 1 root root  41 Oct 23 17:22 *cert.pem*-> 
>> ../../archive/www.mydomain.org/cert12.pem 
>> <http://www.mydomain.org/cert12.pem>
>> lrwxrwxrwx 1 root root  42 Oct 23 17:22 *chain.pem*-> 
>> ../../archive/www.mydomain.org/chain12.pem 
>> <http://www.mydomain.org/chain12.pem>
>> lrwxrwxrwx 1 root root  46 Oct 23 17:22 *fullchain.pem*-> 
>> ../../archive/www.mydomain.org/fullchain12.pem 
>> <http://www.mydomain.org/fullchain12.pem>
>> lrwxrwxrwx 1 root root  13 Nov  1 12:12 *fullchain.pem.key*-> fullchain.pem
>> lrwxrwxrwx 1 root root  44 Oct 23 17:22 *privkey.pem*-> 
>> ../../archive/www.mydomain.org/privkey12.pem 
>> <http://www.mydomain.org/privkey12.pem>
>> lrwxrwxrwx 1 root root  11 Nov  1 12:11 *privkey.pem.key*-> privkey.pem
>> -rw-r--r-- 1 root root 692 Nov 13  2021 README
>> But note, that the file ending on .key are put there on an expermental 
>> basis, because I read somewhere in the haproxy docs that one could a file 
>> with extension .key
>> there and haproxy then adds interprets that as the private key. Location for 
>> this hint escaped me for the moment.
> 
> The link named 'fullchain.pem.key' is not pointing at a key.  It is pointing 
> at the fullchain, which as already mentioned, does NOT contain the private 
> key.
> 
> If you change that symlink to point at privkey.pem instead of fullchain.pem, 
> haproxy might start working.  You do not need the privkey.pem.key symlink.
> 
> If you're going to use the fullchain file in haproxy, then you should also 
> use the ssl-skip-self-issued-ca config that William mentioned so the root 
> cert is not sent to browsers.
> 
> Thanks,
> Shawn
> 

--
Christoph

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to