William, Shawn, excuses for responding with delay. I've been offline for the past 24 hours. Here more infomation:
root@mail:/etc/haproxy# /usr/sbin/haproxy --version HAProxy version 2.4.22-0ubuntu0.22.04.2 2023/08/14 - https://haproxy.org/ Status: long-term supported branch - will stop receiving fixes around Q2 2026. Known bugs: http://www.haproxy.org/bugs/bugs-2.4.22.html Running on: Linux 5.15.0-87-generic #97-Ubuntu SMP Mon Oct 2 21:09:21 UTC 2023 x86_64 Here is my haproxy.cfg. global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy pidfile /var/run/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s maxconn 4000 user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/apache2/certs crt-base /etc/ssl/apache2/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS ssl-dh-param-file /etc/haproxy/dhparams.pem ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http log global mode http compression algo gzip compression type text/html text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy application/atom+xml application/javascript application/x-javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest balance roundrobin option dontlog-normal option dontlognull option httpclose option forwardfor frontend http-in bind *:80 bind *:443 ssl crt /etc/letsencrypt/live/www.mydomain.org/fullchain.pem # Redirect if HTTPS is *not* used redirect scheme https code 301 if !{ ssl_fc } acl letsencrypt-acl path_beg /.well-known/acme-challenge/ use_backend letsencrypt-backend if letsencrypt-acl default_backend website log /dev/log local2 debug acl is_static path_beg /export/ /opencms/ /resources/ /javadoc/ /VAADIN/ /workplace /opencms-login/ acl is_website hdr_beg(host) -i www.mydomain.org use_backend website-static if is_website is_static use_backend website if is_website backend letsencrypt-backend server letsencrypt 127.0.0.1:8888 backend website-static server www.mydomain.org 127.0.0.1:8080 backend website reqirep ^([^\ :]*)\ /(.*) \1\ /opencms/\2 server www.mydomain.org 127.0.0.1:8080 > Am 01.11.2023 um 23:14 schrieb William Lallemand <wlallem...@haproxy.com>: > In /etc/letsencrypt/live/www.mydomain.org <http://www.mydomain.org/> I have: lrwxrwxrwx 1 root root 41 Oct 23 17:22 cert.pem -> ../../archive/www.mydomain.org/cert12.pem lrwxrwxrwx 1 root root 42 Oct 23 17:22 chain.pem -> ../../archive/www.mydomain.org/chain12.pem lrwxrwxrwx 1 root root 46 Oct 23 17:22 fullchain.pem -> ../../archive/www.mydomain.org/fullchain12.pem lrwxrwxrwx 1 root root 13 Nov 1 12:12 fullchain.pem.key -> fullchain.pem lrwxrwxrwx 1 root root 44 Oct 23 17:22 privkey.pem -> ../../archive/www.mydomain.org/privkey12.pem lrwxrwxrwx 1 root root 11 Nov 1 12:11 privkey.pem.key -> privkey.pem -rw-r--r-- 1 root root 692 Nov 13 2021 README But note, that the file ending on .key are put there on an expermental basis, because I read somewhere in the haproxy docs that one could a file with extension .key there and haproxy then adds interprets that as the private key. Location for this hint escaped me for the moment. -- Christoph > On Wed, Nov 01, 2023 at 03:48:56PM -0600, Shawn Heisey wrote: >> The LE fullchain file does not contain the key. It contains 3 >> certificates. ... the server cert, the issuing cert, and the root cert >> ... which is not what you want. For letsencrypt, the file that you give >> to haproxy must contain the server cert, the issuing cert, and the >> private key. > > Actually you can separate the key from the chain with haproxy, but > without the configuration it's difficult to know what it's trying to > load. > > http://docs.haproxy.org/2.8/configuration.html#ssl-load-extra-files > > With the 'key' option it's able to load a 'file.pem.key' if you > specified 'crt file.pem' in your configuration > > >> You do not want to include the root certificate. It will be ignored >> by the browser even if it is included, but it will probably slow down >> TLS negotiation by a small amount. The presence of the root >> certificate in the TLS handshake should not actually break anything in >> most cases, but it could result in a lower score on the Qualys Labs >> SSL test. >> > > You can also ask haproxy to ignore the root CA in the configuration: > > http://docs.haproxy.org/2.8/configuration.html#ssl-skip-self-issued-ca > > >> When my renewal script finishes, I have a file containing four things: >> The server cert, the issuing cert, the private key, and a unique 4096 >> bit DHPARAM. This combination is ideal for haproxy. >> >> The version of certbot that I am using generates 256-bit ECDSA keys by >> default. You might be thinking that a 256 bit ECDSA key cannot be as >> secure as a 2048 bit RSA key, but that is incorrect: >> >> https://www.baeldung.com/cs/encryption-asymmetric-algorithms#3-key-length >> >> Some of the equipment I use will not work with ECDSA keys, so I have a >> second cert with a subset of names that I build using 4096 bit RSA. >> > > There is a lot of possibility to configure this, we are trying to move > forward to a configuration where we can specifiy files separately so > there would be nothing to do in the future, but unfortunately there is > still development to do. > > -- > William Lallemand >
smime.p7s
Description: S/MIME cryptographic signature