Thanks for the feedback. I've got it working by spliting the cert & key from the root and intermediate CA's like this :
bind <<ip>>:443 ssl crt /etc/pki/tls/certs/<<domain>>.pem ca-file /etc/pki/tls/certs/<<domain>>.ca.pem Now HAProxy is working nicely with SSL :D Thanks, Tim On Tue, Apr 23, 2013 at 7:19 PM, Ian Scott <[email protected]> wrote: > On 04/23/2013 06:31 AM, Tim Verhoeven wrote: >> >> Hi, >> >> I'm trying to get haproxy 1.5 dev18 to load my production certificate >> (it is working fine with a self-signed one). And I'm getting this >> error: >> >> [ALERT] 112/151354 (11224) : parsing [/etc/haproxy/haproxy.cfg:69] : >> 'bind <<ip>>:443' : unable to load SSL private key from PEM file >> '/etc/pki/tls/certs/<<prodcrt>>.pem'. >> [ALERT] 112/151354 (11224) : Error(s) found in configuration file : >> /etc/haproxy/haproxy.cfg >> [ALERT] 112/151354 (11224) : Proxy 'https-in': no SSL certificate >> specified for bind '<<ip>>:443' at [/etc/haproxy/haproxy.cfg:69] (use >> 'crt'). >> [ALERT] 112/151354 (11224) : Fatal errors found in configuration. >> Errors in configuration file, check with haproxy check. >> >> This cert is a EV multidomain one from Digicert and uses a >> intermediate cert. I'm made the pem file by concatenting all the keys >> and certs like this : >> >> -----BEGIN RSA PRIVATE KEY----- >> -----END RSA PRIVATE KEY----- >> -----BEGIN CERTIFICATE----- >> -----END CERTIFICATE----- >> -----BEGIN INTERMEDIATE CERTIFICATE----- >> -----END INTERMEDIATE CERTIFICATE----- >> -----BEGIN ROOT CERTIFICATE----- >> -----END ROOT CERTIFICATE----- > > > The private key should go after your certificate, not before. The rest of > your order is OK. So: > cat mycrt.pem mykey.pem intermediate.pem root.pem > combined.pem > > Ian -- Tim Verhoeven - [email protected] - 0479 / 88 11 83 Hoping the problem magically goes away by ignoring it is the "microsoft approach to programming" and should never be allowed. (Linus Torvalds)
