Hi Shawn, what the inadvertently publicly dislosing my private key is concerned: I obfuscated the excerpts of my .pem file by putting XXXXXX into the string. Destroying part of it would suffice, I think.
What the actual issue is concerned: It looks like haproxy (2.8) can't cope with the type of the certificate. An ECC (256 bit) seems to be generated by the acme.sh challenge by default. I changed the line for getting the certificate from acme.sh --issue -d www.domain1.org -d mail.domain1.org -d otherdomain.de -d mail.domain1.org -d imap.domain1.org -d smtp.domain1.org --stateless to: acme.sh --issue -d www.domain1.org -d mail.domain1.org -d otherdomain.de -d mail.domain1.org -d imap.domain1.org -d smtp.domain1.org --stateless --keylength 2048 That is, forcing a RSA 2048 certificate, and, wonder, this certificate worked. Now, what the glueing together of the fullchain.pem and the private key into one file is concerned: it woud be good if that can be avoided. I'm trying an approach now, to put a file fullchain.pem and fullchain.pem.key into the /etc/haproxy/certs directory and use bind *:443 ssl crt /etc/haproxy/certs/ strict-sni If anyone has a tip in that direction, I'd be grateful. > Am 11.11.2023 um 23:14 schrieb Shawn Heisey <hapr...@elyograg.org>: > > On 11/11/2023 02:26, Christoph Kukulies wrote: >> The file is definitely there and the command works an a different file, when >> I apply it to the previously used certificate fullchain.pem. >> The file which is not working, has the following structure: >> -----BEGIN EC PRIVATE KEY----- > > I think you have just publicly disclosed the private key for your > certificate. If so, you should immediately replace that certificate with a > new one that uses a different key, and if it is a certificate generated by a > public CA, see about getting it revoked. > > On your issue: > > This is very strange. > > I ran your command with my LE certificate and it worked. > > echo "show ssl cert /etc/ssl/certs/local/elyograg_org.wildcards.combined.pem" > | socat /etc/haproxy/stats.socket - > > Then I made a copy of the certificate file as /tmp/fff/ddd and the same > command with that file returned the error you are getting! > > echo "show ssl cert /tmp/fff/ddd" | socat /etc/haproxy/stats.socket - > > The root filesystem is ext4 and /tmp is a tmpfs (ramdisk). Unix permissions > are not an issue, and I have never configured ACLs on this system. SELinux > is not active, and the apparmor service is stopped/disabled. It does look > like snapd has activated apparmor for snaps, which seems odd because the > service is stopped. > When using the acme.sh mechanism to obtain the cert apparmor and snapd/certbot wouldn't make sense in my situation, would they? > root@smeagol:/var/log# apparmor_status > apparmor module is loaded. > 59 profiles are loaded. > 54 profiles are in enforce mode. > /snap/snapd/20092/usr/lib/snapd/snap-confine > /snap/snapd/20092/usr/lib/snapd/snap-confine//mount-namespace-capture-helper > /snap/snapd/20290/usr/lib/snapd/snap-confine > /snap/snapd/20290/usr/lib/snapd/snap-confine//mount-namespace-capture-helper > docker-default > snap-update-ns.certbot > snap-update-ns.certbot-dns-route53 > snap-update-ns.chromium > snap-update-ns.crypto > snap-update-ns.cups > snap-update-ns.firefox > snap-update-ns.gradle > snap-update-ns.snap-store > snap.certbot-dns-route53.hook.post-refresh > snap.chromium.chromedriver > snap.chromium.chromium > snap.chromium.hook.configure > snap.crypto.crypto > snap.cups.accept > snap.cups.cancel > snap.cups.cups-browsed > snap.cups.cupsaccept > snap.cups.cupsctl > snap.cups.cupsd > snap.cups.cupsdisable > snap.cups.cupsenable > snap.cups.cupsfilter > snap.cups.cupsreject > snap.cups.cupstestppd > snap.cups.driverless > snap.cups.gs > snap.cups.ippeveprinter > snap.cups.ippfind > snap.cups.ipptool > snap.cups.lp > snap.cups.lpadmin > snap.cups.lpc > snap.cups.lpinfo > snap.cups.lpoptions > snap.cups.lpq > snap.cups.lpr > snap.cups.lprm > snap.cups.lpstat > snap.cups.reject > snap.firefox.firefox > snap.firefox.geckodriver > snap.firefox.hook.configure > snap.firefox.hook.connect-plug-host-hunspell > snap.firefox.hook.disconnect-plug-host-hunspell > snap.firefox.hook.post-refresh > snap.snap-store.hook.configure > snap.snap-store.snap-store > snap.snap-store.ubuntu-software > snap.snap-store.ubuntu-software-local-file > 5 profiles are in complain mode. > snap.certbot.certbot > snap.certbot.hook.configure > snap.certbot.hook.prepare-plug-plugin > snap.certbot.renew > snap.gradle.gradle > 0 profiles are in kill mode. > 0 profiles are in unconfined mode. > 0 processes have profiles defined. > 0 processes are in enforce mode. > 0 processes are in complain mode. > 0 processes are unconfined but have a profile defined. > 0 processes are in mixed mode. > 0 processes are in kill mode. > > Thanks, > Shawn Thanks, Christoph
smime.p7s
Description: S/MIME cryptographic signature