I requested a reissue of a GeoTrust certificate in light of the Heartbleed bug. We're using HAProxy 1.5-dev22
with OpenSSL enabled. I've updated OpenSSL on all affected instances.
The PEM that HAProxy requires is a concatenated version of the certificate, the intermediate certificates and the private key:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
I can validate this PEM with OpenSSL:
$ openssl verify -CAfile my_app.pem my_app.pem
my_app.pem: OK
And then configure HAProxy:
...snip...
bind *:443 ssl crt /etc/ssl/certs/my_app.pem ca-file /etc/ssl/certs/my_app.pem
...snip...
And then start HAProxy
$ sudo service haproxy start
* Starting haproxy haproxy
[ALERT] 098/142005 (13287) : parsing [/etc/haproxy/haproxy.cfg:16] : 'bind *:443' : inconsistencies between private key and certificate loaded from PEM file '/etc/ssl/certs/my_app.pem'.
[ALERT] 098/142005 (13287) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 098/142005 (13287) : Proxy 'secure': no SSL certificate specified for bind '*:443' at [/etc/haproxy/haproxy.cfg:16] (use 'crt').
[ALERT] 098/142005 (13287) : Fatal errors found in configuration.
...fail!
I've done the reissue twice now and both times OpenSSL can validate the PEM. However, HAProxy can't seem to read this PEM. I've also recompiled HAProxy with the latest source but the issues still persists.
If I revert to the previous PEM, HAProxy starts without errors.
Disregarding HAProxy for a second, according to this site, I can validate if a certificate/private key match:
(openssl x509 -noout -modulus -in my_app.crt | openssl md5 ; openssl rsa -noout -modulus -in my_app.key | openssl md5) | uniq
And when I run it after downloading the CRT from GeoTrust, the output is two separate values. According to that site, if they matched only one hash would be returned.
Wow. A detail that I omitted was that we purchase/re-issue our certificate through a reseller (Namecheap). I had requested a certificate re-issue 3 times today because I thought I was doing something funky. I called GeoTrust and asked about my requests. The guy on the phone checked all 3 CSR's that I had sent and all 3 were different than the CSR files I sent today. He suggested we try to do the reissue directly through GeoTrust. Sure enough, it worked and the modulus check returned one value and matched! I then generated the new PEM from the CRT/Intermediate CA CRT/Private Key and HAProxy now starts without any issues!
He thinks it might be an issue where Namecheap is sending out incorrect CSRs from previous instances on our account (he has seen that before).