On 11/12/2023 02:37, Christoph Kukulies wrote:
what the inadvertently publicly dislosing my private key is concerned:
I obfuscated the excerpts of my .pem file by putting XXXXXX into the
string. Destroying part of it would suffice, I think.
Up to you. I wouldn't trust it personally.
What the actual issue is concerned: It looks like haproxy (2.8) can't
cope with the type of the certificate. An ECC (256 bit) seems to be
generated by the acme.sh challenge by default.
My certificate is also using 256 bit EC keys because that's what recent
versions of Lets Encrypt certbot provide by default, but my PEM file
does not actually say "EC" like yours does, and haproxy works with it
perfectly, including the "show" command with the socket. The weird
problem with the file on a tmpfs filesystem is probably unrelated.
This is the line in /etc/fstab that creates the filesystem for /tmp:
tmpfs /tmp tmpfs size=4096m,mode=1777 0 1
Another test with interesting results:
I made a copy of the cert with identical permissions (in the same
directory) and made one change:
I changed "-----BEGIN PRIVATE KEY-----" and the matching END line to
include the "EC" that yours has. With that change, I get the exact
error that you are getting.
I would bet that if you removed the "EC" from your PEM file, it would
start working.
My haproxy is compiled with the quictls fork of openssl, version 3.1.4.
Thanks,
Shawn
