Hi Alex, On Sun, Feb 10, 2013 at 08:46:46PM +0000, Alex Davies wrote: > Hi All, > > I saw some traffic on the list from Guillaume and others about this, but I > thought i'd confirm a real world production use of a GoDaddy[1] SSL > certificate (which requires an intermediate certificates for some use > cases, specifically Java applications). > > I used the following line in haproxy.cfg: > > bind :443 ssl crt /path/to/domain.com.crt ca-file /path/to/ca.pem > ciphers ECDHE-RSA-AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM > > In /path/to/domain.com.crt, I have > My private key (the one used to generate the CSR) > The final certificate for my domain (downloaded from the provider) > The intermediate certificate (from the .zip file with the CA bundle > provided by godaddy) > > In /path/to/ca.pem I just took the gd_bundle file provided by GoDaddy. > > I took the ciphers restriction from an exceliance blog post[2]; it seems to > effectively shut up the BEAST attack alerts on teh SSL checker websites. > > I found the utility at https://www.digicert.com/util/ and the online check > at https://www.ssllabs.com/ssltest/ super useful. > > I wonder if it might be helpful to ammend the "crt <cert>" documentation to > say that Intermediate certificates should be loaded with this (either with > multiple crt lines, or concatenation as it already says). This was not > obvious to me, and I spent some time failing to get it working using the > intermediate certificate within the SSL. > > I have said it before, but i'd like to say it again - HAProxy is awesome, > and the removal of one more chain in the link is fantastic. Thanks guys!
Thank you for the informative feedback. You're right, if it took you some time to figure how to do this, then the doc needs to be updated. Could you propose some prose that you think would have helped you ? That would be really great. Do you think it would also be worth adding some scripts in the contrib/ directory to better handle the certificates concatenation into a single file ? Or maybe to check some certs, I don't know. You surely have ideas after all the tests you've performed ! > Thanks, > > -Alex > > [1] Godaddy ask you to choose your type of SSL provider. I selected "nginx" > as I have used that before, but for some reason it does not provide the > intermediate certificate in this case. Select Apache Tomcat to get a zip > file with both gd_bundle and the intermediate Cert. This could go into the doc as well, until they add "haproxy" :-) Cheers, Willy
