Unable to load SSL private key from PEM file
Hi, I'm trying to get haproxy 1.5 dev18 to load my production certificate (it is working fine with a self-signed one). And I'm getting this error: [ALERT] 112/151354 (11224) : parsing [/etc/haproxy/haproxy.cfg:69] : 'bind ip:443' : unable to load SSL private key from PEM file '/etc/pki/tls/certs/prodcrt.pem'. [ALERT] 112/151354 (11224) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg [ALERT] 112/151354 (11224) : Proxy 'https-in': no SSL certificate specified for bind 'ip:443' at [/etc/haproxy/haproxy.cfg:69] (use 'crt'). [ALERT] 112/151354 (11224) : Fatal errors found in configuration. Errors in configuration file, check with haproxy check. This cert is a EV multidomain one from Digicert and uses a intermediate cert. I'm made the pem file by concatenting all the keys and certs like this : -BEGIN RSA PRIVATE KEY- -END RSA PRIVATE KEY- -BEGIN CERTIFICATE- -END CERTIFICATE- -BEGIN INTERMEDIATE CERTIFICATE- -END INTERMEDIATE CERTIFICATE- -BEGIN ROOT CERTIFICATE- -END ROOT CERTIFICATE- I'm using the identical PEM file successfully with vsftpd and I've also tested it with Apache mod_ssl where is also worked fine. So why is haproxy giving me this error? How can I debug this issue? Thanks, Tim -- Tim Verhoeven - tim.verhoeven...@gmail.com - 0479 / 88 11 83 Hoping the problem magically goes away by ignoring it is the microsoft approach to programming and should never be allowed. (Linus Torvalds)
Re: Unable to load SSL private key from PEM file
Thanks for the feedback. I've got it working by spliting the cert key from the root and intermediate CA's like this : bind ip:443 ssl crt /etc/pki/tls/certs/domain.pem ca-file /etc/pki/tls/certs/domain.ca.pem Now HAProxy is working nicely with SSL :D Thanks, Tim On Tue, Apr 23, 2013 at 7:19 PM, Ian Scott isc...@chippath.com wrote: On 04/23/2013 06:31 AM, Tim Verhoeven wrote: Hi, I'm trying to get haproxy 1.5 dev18 to load my production certificate (it is working fine with a self-signed one). And I'm getting this error: [ALERT] 112/151354 (11224) : parsing [/etc/haproxy/haproxy.cfg:69] : 'bind ip:443' : unable to load SSL private key from PEM file '/etc/pki/tls/certs/prodcrt.pem'. [ALERT] 112/151354 (11224) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg [ALERT] 112/151354 (11224) : Proxy 'https-in': no SSL certificate specified for bind 'ip:443' at [/etc/haproxy/haproxy.cfg:69] (use 'crt'). [ALERT] 112/151354 (11224) : Fatal errors found in configuration. Errors in configuration file, check with haproxy check. This cert is a EV multidomain one from Digicert and uses a intermediate cert. I'm made the pem file by concatenting all the keys and certs like this : -BEGIN RSA PRIVATE KEY- -END RSA PRIVATE KEY- -BEGIN CERTIFICATE- -END CERTIFICATE- -BEGIN INTERMEDIATE CERTIFICATE- -END INTERMEDIATE CERTIFICATE- -BEGIN ROOT CERTIFICATE- -END ROOT CERTIFICATE- The private key should go after your certificate, not before. The rest of your order is OK. So: cat mycrt.pem mykey.pem intermediate.pem root.pem combined.pem Ian -- Tim Verhoeven - tim.verhoeven...@gmail.com - 0479 / 88 11 83 Hoping the problem magically goes away by ignoring it is the microsoft approach to programming and should never be allowed. (Linus Torvalds)
Chaining haproxy instances for a migration scenario
Hello everyone, I'm mostly passive on this list but a happy haproxy user for more then 2 years. Now, we are going to migrate our platform to a new provider (and new hardware) in the coming months and I'm looking for a way to avoid a one-shot migration. So I've been doing some googl'ing and it should be possible to use the proxy protocol to send traffic from one haproxy instance (at the old site) to the another haproxy instance (at the new site). Then at the new site the haproxy instance there would just accept the traffic as it came from the internet directly. Is that how it works? Is that possible? Ideally the traffic between the 2 haproxy instances would be encrypted with TLS to avoid having to setup an VPN. Now I haven't found any examples of this kind of setup, so any pointers on how to set this up would be really appriciated. Thanks, Tim
What to look out for when going from 1.6 to 1.8?
Hello all, We have been running the 1.6 branch of HAProxy, without any issues, for a while now. And reading the updates around 1.8 here in the mailing list it looks like its time to upgrade to this branch. So I was wondering if there are any things I need to look of for when doing this upgrade? We are not doing anything special with HAProxy (I think). We run it as a single process, we use SSL/TLS termination, some ACL's and a bunch of backends. We only use HTTP 1.1 and TCP connections. >From what I've been able to gather my current config will works just as good with 1.8. But some extra input from all the experts here is always appreciated. Thanks, Tim