Hi, Providing your configuration would help. It seems you forget to load certificates in your haproxy configuration.
Baptiste On Tue, Sep 3, 2013 at 12:03 PM, Rezhna Hoshyar <[email protected]> wrote: > Dear, > > Thanks a lot for your reply which I followed and produced the following: > > [root@haproxy ~]# ll /etc/haproxy/certs/ > total 88 > -rw-r--r-- 1 root root 1960 Sep 3 00:46 ca2.crt > -rw-r--r-- 1 root root 3243 Sep 3 00:46 ca2.key > -rw-r--r-- 1 root root 1048 Sep 3 00:46 ca_crl.pem > -rw-r--r-- 1 root root 2029 Sep 3 00:46 ca.crt > -rw-r--r-- 1 root root 3243 Sep 3 00:46 ca.key > -rw-r--r-- 1 root root 3989 Sep 3 00:46 ca.pem > -rw-r--r-- 1 root root 1342 Sep 3 00:46 client1.crt > -rw-r--r-- 1 root root 660 Sep 3 00:46 client1.csr > -rw-r--r-- 1 root root 887 Sep 3 00:46 client1.key > -rw-r--r-- 1 root root 1342 Sep 3 00:46 client2.crt > -rw-r--r-- 1 root root 660 Sep 3 00:46 client2.csr > -rw-r--r-- 1 root root 887 Sep 3 00:46 client2.key > -rw-r--r-- 1 root root 1306 Sep 3 00:46 client_company.crt > -rw-r--r-- 1 root root 660 Sep 3 00:46 client_company.csr > -rw-r--r-- 1 root root 887 Sep 3 00:46 client_company.key > -rw-r--r-- 1 root root 1342 Sep 3 00:46 client_expired.crt > -rw-r--r-- 1 root root 660 Sep 3 00:46 client_expired.csr > -rw-r--r-- 1 root root 887 Sep 3 00:46 client_expired.key > -rw-r--r-- 1 root root 1342 Sep 3 00:46 server.crt > -rw-r--r-- 1 root root 660 Sep 3 00:46 server.csr > -rw-r--r-- 1 root root 891 Sep 3 00:46 server.key > -rw-r--r-- 1 root root 2233 Sep 3 00:46 server.pem > > But when I restarted the haproxy , I got the following error: > > [root@haproxy haproxy]# service haproxy restart > [ALERT] 245/025407 (2270) : parsing [/etc/haproxy/haproxy.cfg:71] : 'bind > *:443' : unable to load SSL private key from PEM file > '/etc/haproxy/certs/ca_crl.pem'. > [ALERT] 245/025407 (2270) : Error(s) found in configuration file : > /etc/haproxy/haproxy.cfg > [ALERT] 245/025407 (2270) : Proxy 'https_frontend': no SSL certificate > specified for bind '*:443' at [/etc/haproxy/haproxy.cfg:71] (use 'crt'). > [ALERT] 245/025407 (2270) : Fatal errors found in configuration. > Errors in configuration file, check with haproxy check. > > Thanks for your help my friend > > Rezhna > > -----Original Message----- > From: Baptiste [mailto:[email protected]] > Sent: Monday, September 2, 2013 10:41 PM > To: Nick Jennings > Cc: Rezhna Hoshyar; Lukas Tribus; [email protected] > Subject: Re: https with haproxy > > Rezhna, > > You can start with a script I used when I wrote some blog articles about > HAProxy and SSL: > https://github.com/exceliance/haproxy/tree/master/blog/ssl_client_certificate_management_at_application_level > > You'll be able to generate selfsigned certificates. > > Good luck, > Baptiste > > > > On Mon, Sep 2, 2013 at 2:59 PM, Nick Jennings <[email protected]> wrote: >> http://www.startssl.com >> >> >> >> On Mon, Sep 2, 2013 at 2:51 PM, Rezhna Hoshyar >> <[email protected]> >> wrote: >>> >>> Dear, >>> >>> Could you please tell me how I can get free ssl certificate as I >>> tried many ways mentioned on Internet , but none of them were useful >>> >>> Rezhna >>> >>> -----Original Message----- >>> From: Baptiste [mailto:[email protected]] >>> Sent: Sunday, September 1, 2013 9:44 PM >>> To: Rezhna Hoshyar >>> Cc: Lukas Tribus; [email protected] >>> Subject: Re: https with haproxy >>> >>> Hi Rezhna, >>> >>> Use the "http-request redirect scheme" to do this, as example: >>> http-request redirect scheme https if ! { ssl_fc } >>> >>> It will force HTTPs whatever the hostname is. >>> As Lukas stated, you have to own the certificate and the frontend / >>> backend must be in mode http. >>> >>> Baptiste >>> >>> >>> >>> On Sun, Sep 1, 2013 at 4:56 PM, Rezhna Hoshyar >>> <[email protected]> >>> wrote: >>> > >>> > Hi, >>> > >>> > Actually we want to apply it for our company web sites. >>> > >>> > Rezhna >>> > >>> > -----Original Message----- >>> > From: Lukas Tribus [mailto:[email protected]] >>> > Sent: Sunday, September 1, 2013 5:44 PM >>> > To: Rezhna Hoshyar >>> > Cc: [email protected] >>> > Subject: RE: https with haproxy >>> > >>> > Hi, >>> > >>> >> My question is about how to use https with haproxy , not avoiding it. >>> > >>> > Compile haproxy 1.5 with SSL support and enable it. You can find >>> > details in doc/ and some generic examples in examples/. >>> > >>> > >>> > >>> >> I can use haproxy to redirect http://google.com to >>> >> http://yahoo.com, but I cannot do that with https://google.com. >>> > >>> > Well, do you have a certificate for google.com (or whatever website >>> > you need to redirect)? You cannot do this without a valid >>> > certificate, otherwise HTTPS would not make any sense. >>> > >>> > >>> > >>> > Regards, >>> > >>> > Lukas >>> > >>> > -- >>> > This message has been scanned for viruses and dangerous content by >>> > MailScanner, and is believed to be clean. >>> > >>> > >>> >>> -- >>> This message has been scanned for viruses and dangerous content by >>> MailScanner, and is believed to be clean. >>> >>> >> > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. >
