On 7/7/2021 6:45 AM, Anilton Silva Fernandes wrote:
Hi there.
Can I get some help from you.
I’m configuring HAProxy as a frontend on HTTPS with centified and I
want clients to be redirect to BACKEND on HTTPS as well (443) but I
want clients to see only HAProxy certificate, as the backend one is
not valid.
<snip>
The second one is what we would like, but does not work and says some
erros:
[ALERT] 187/114337 (7823) : parsing [/etc/haproxy/haproxy.cfg:85] :
'bind *:443' : unable to load SSL private key from PEM file
'/etc/ssl/cvt.cv/accounts_cvt.pem'.
The error is shown clearly. It's telling you that the private key is
not contained in the file you mentioned for your certificate.
For haproxy, the certificate file must contain three things: 1) The
server certificate. 2) Any intermediate certificates. 3) The private
key for the server certificate. Order is not important for 2 and 3, but
I'm pretty sure the first certificate in the file must be the server
cert. The root certificate is usually not required -- the end-user's
browser should already contain that. I am not aware of any way to
specify the private key in a separate file, but one might exist that I
have never seen.
My certificate files also contain a fourth item - "DH PARAMETERS",
generated with "openssl dhparam 2048". Each certificate gets its own
dhparam, and it is regenerated each time I renew the cert.
Thanks,
Shawn
