On Dec 19, 2017 20:46, "Andrew Heberle" <[email protected]> wrote:
I am attempting to utilise certificate bundles so we can have multi-type
certs in haproxy however this seems non-functional.
I have a two cert bundles as follows (only testing with RSA certs at the
moment):
/etc/haproxy/ssl # ls -l /etc/haproxy/ssl/
total 16
-rw-r--r-- 1 root root 1184 Dec 20 01:39 test1.pem.issuer.rsa
-rw-r--r-- 1 root root 2888 Dec 20 01:26 test1.pem.rsa
-rw-r--r-- 1 root root 1184 Dec 20 01:40 test2.pem.issuer.rsa
-rw-r--r-- 1 root root 2888 Dec 20 01:30 test2.pem.rsa
With the following config of my two front-ends:
frontend test1
bind *:5000 ssl crt test1.pem
default_backend app1
frontend test2
bind *:5001 ssl crt test2.pem
default_backend app2
But this then fails:
/etc/haproxy/ssl # haproxy -f /etc/haproxy/haproxy.cfg -c
[ALERT] 353/014339 (59) : parsing [/etc/haproxy/haproxy.cfg:34] : 'bind
*:5000' : unable to stat SSL certificate from fi
le '/etc/haproxy/ssl/test1.pem' : No such file or directory.
Refer to the documentation.
There is no implied extension for the specified filename, such as ".rsa".
The "crt" directive expects the exact path to a single file containing the
certificate AND chain AND private key.
crt <http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crt>
<cert>
This setting is only available when support for OpenSSL was built in. It
designates a PEM file containing both the required certificates and any
associated private keys. This file can be built by concatenating multiple
PEM files into one (e.g. cat cert.pem key.pem > combined.pem). If your CA
requires an intermediate certificate, this can also be concatenated into this
file.
http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.1-crt
