I have a CentOS 7 server with HAProxy 1.6 as front and Apache 2.4 as back.
I am trying to load the SSL certificates in HAProxy, however it expects a .pem file.
I have got the following files from Comodo:
- cabundle.crt
- certificate.crt
- certificate.key
- certificate.p7b
And tried to merge the certificate.crt and certificate.key:
cat certificate.crt certificate.key > haproxy1.pem
This works sofar, however a get a regular Chain Issues error.
Also tried to merge cabundle.crt, certificate.crt and certificate.key into one .pem file. But this gives me an SSL handshake failure in the HAProxy log.
How to get this working correctly?
File contents
cabundle.crt
-----BEGIN CERTIFICATE-----
hash
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
hash
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
hash
-----END CERTIFICATE-----
certificate.crt
-----BEGIN CERTIFICATE-----
hash
-----END CERTIFICATE-----
certificate.key
-----BEGIN PRIVATE KEY-----
hash
-----END PRIVATE KEY-----
haproxy.cfg
frontend public
bind *:80
bind *:443 ssl crt /etc/ssl/certs/private/
Fixed this by doing the following:
My ISP gives me an decrypted private key if I provide the passphrase, but this gives me a different result then when I decrypt it myself using openssl.
So I downloaded the encrypted version and decrypted it myself using the passphrase:
This gives me a file starting with
-----BEGIN RSA PRIVATE KEY-----instead of-----BEGIN PRIVATE KEY-----from the ISP and a different base64 content.Also, apparently the
cabundle.crtincludes a root certificate (this first block), which is not necessary, so I removed this one.Next, I merged these files together:
Also specified it directly in the
haproxy.cfgfile, to prevent loading the wrong file:I'm still getting a Chain Issues: Incorrect order warning from SSLLabs, but it's working nevertheless, so it doesn't really bother me.