Alberto wrote: For example, if you've bought your wildcard cert from comodo, it would go like this:
cat STAR_your_domain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt STAR_your_domain.key > STAR_your_domain.pem I don’t believe you should include the Comodo Root certificate (or any root certificate) in your HAProxy certificate file. You would just be wasting the client’s time downloading this certificate as they will never trust a root certificate delivered by your application. SSLLabs will report a “Chain Issue” if it detects a root certificate in the HAProxy configuration: https://community.qualys.com/thread/15724 https://www.ssllabs.com/ssltest/analyze.html From: Alberto Oliveira <[email protected]> Sent: Monday, November 26, 2018 10:44 PM To: [email protected] Cc: [email protected] Subject: Re: SSL certs Hello Azim, HAproxy itself doesn't manage ssl certs so you should already have one, buy one or generate one for free using Let's Encrypt (https://letsencrypt.org/). You can find multiple sources to guide you on how to use ssl certs on haproxy: https://serversforhackers.com/c/using-ssl-certificates-with-haproxy https://serverfault.com/q/560978/241849 https://gist.github.com/sethwebster/b48d7c872fe397c1db11 Basically you have to concatenate your certs and key to generate a pem file that's valid for haproxy. They don't really need to be converted for this, just concatenated. For example, if you've bought your wildcard cert from comodo, it would go like this: cat STAR_your_domain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt STAR_your_domain.key > STAR_your_domain.pem Or if you generated the certs using let's encrypt you would have to only concatenate two files: cat fullchain.pem privkey.pem > your_domain.pem Although it seems complicated at first, it's simple once you go through with it. Does that make sense to you? Please feel free to reply with any problem you encounter or to tell us if this solves your issue. Best regards, Alberto On Mon, 26 Nov 2018 at 23:54, Azim Siddiqui <[email protected]<mailto:[email protected]>> wrote: Hello, Hope you are doing good. We are using HAproxy in our company. But the ssl certs has been expired. I want to renew it. As i can see HAproxy only takes .pem format for certs. So what files should be included in that .pem file ? And can you please tell me how to convert the certs in .pem ? Thanks & Regards, Azeem
