logo CoolAJ86

HAProxy with HTTPS (TLS/SSL)

Published 2015-8-17

HAProxy supports Servername Indication (SNI) and multiple certificates, but it's picky about how you load the certificate files. I'm going to try to figure that out.

I found the crt and crt-list documentation to be a bit terse, so here's what you need to do if you want haproxy to love you.

Let's say you got your free certificates from Let's Encrypt

# Go into the directory with your certificates
pushd /etc/letsencrypt/live/www.example.com/

# create a directory in the haproxy config dir for certs to go
sudo mkdir -p /etc/haproxy/certs/

# concatonate the cert, chain, and keypair into a single pem
sudo cat cert.pem chain.pem privkey.pem | sudo tee /etc/haproxy/certs/www.example.com.pem

This assumes the following:

  • cert.pem contains only your certificate, nothing else
  • chain.pem contains whatever intermediate certificate(s) you may have
  • privkey.pem contains your private key pair

In your haproxy.cfg you would add lines like these:

frontend foo_ft_https
  mode http
  option httplog

  bind 0.0.0.0:443 ssl crt /etc/haproxy/certs/www.example.com.pem

  use_backend foo_bk_https

backend foo_bk_https
  mode http
  option httplog

  server foo_srv_sslh 0.0.0.0:3000

crt-list is so simple that it's hard to find an example of its usage. Luckily I got a reply with a crt-list usage example almost immediately on the mailing list.

/etc/haproxy/crt-list.txt

www.example.com /etc/haproxy/certs/www.example.com.pem
example.com /etc/haproxy/certs/example.com.pem
www.example.net /etc/haproxy/certs/www.example.net.pem
example.net /etc/haproxy/certs/example.net.pem

And you would use it like this:

frontend foo_ft_https
  mode tcp
  option tcplog
  bind 0.0.0.0:443 ssl crt-list /etc/haproxy/crt-list.txt

  use_backend foo_bk_https

inconsistencies between private key and certificate

This is one of the errors you get if you concatonate your files in the wrong order.

[ALERT] 229/003448 (11255) : parsing [/etc/haproxy/haproxy.cfg:78] : 'bind 0.0.0.0:443' : inconsistencies between private key and certificate loaded from PEM file '/etc/haproxy/certs/servers/www.example.com/haproxy.pem'.
[ALERT] 229/003448 (11255) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 229/003448 (11255) : Proxy 'foo_ft_pvpn': no SSL certificate specified for bind '0.0.0.0:443' at [/etc/haproxy/haproxy.cfg:78] (use 'crt').
[ALERT] 229/003448 (11255) : Fatal errors found in configuration.

By AJ ONeal

If you loved this and want more like it, sign up!


Did I make your day?
Buy me a coffeeBuy me a coffee  

(you can learn about the bigger picture I'm working towards on my patreon page )