Haproxy ssl configuration - install root and intermediate certificate

Question

After to much googling, i finally made my haproxy ssl to works. But now i got problem because root and intermediate certificate is not installed so my ssl don`t have green bar.

My haproxy config

global
      maxconn     4096 
      nbproc      1
      #debug
      daemon
      log         127.0.0.1    local0

  defaults
      mode        http
      option      httplog
      log         global
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

  frontend unsecured
      bind 192.168.0.1:80
      timeout     client 86400000
      reqadd X-Forwarded-Proto:\ http
      default_backend      www_backend

  frontend  secured
  mode http
   bind 192.168.0.1:443 ssl crt /etc/haproxy/cert.pem
   reqadd X-Forwarded-Proto:\ https
  default_backend www_backend

  backend www_backend
      mode        http
      balance     roundrobin
      #cookie      SERVERID insert indirect nocache
      #option      forwardfor
      server      server1 192.168.0.2:80  weight 1 maxconn 1024 check
      server      server2 192.168.0.2:80  weight 1 maxconn 1024 check

192.168.0.1 is my load balancer ip. /etc/haproxy/cert.pem contain private key and domain certificate eg. www.domain.com

There is another question with ssl configuration, which include bundle.crt. When i contacted my ssl support, they told me i need to install root and intermediate certificate.

From Comodo Documentation, creating bundle is simple as merging their crt, which i made.

But when i try to reconfig my haproxy config as

bind 192.168.0.1:443 ssl crt /etc/haproxy/cert.pem ca-file /path/to/bundle.crt

Im getting error that i cant use that config parameter on bind.

p.s im using 1.5 dev12 version. With latest dev17 version i had problems even starting haproxy as on this post

enter image description here

You should [disable SSLv3](http://blog.haproxy.com/2014/10/15/haproxy-and-sslv3-poodle-vulnerability/) with `bind 192.168.0.1:443 ssl crt /etc/haproxy/cert.pem ca-file /path/to/bundle.crt no-sslv3` — Alexander Farber, Dec 15 '16 at 11:57

kvz · Accepted Answer · 2017-09-04T18:18:43.760

38

It looks like you'll need to recompile like so:

make clean
make \
    TARGET="linux26" \
    USE_STATIC_PCRE=1 \
    USE_OPENSSL=1
make install PREFIX="/opt/haproxy"

After that, bind should recognise your crt option. In my case, I used:

bind 0.0.0.0:443 ssl crt /envs/production/ssl/haproxy.pem

I concatenated all ssl files into 1 big file in the order certificate chain, private key. e.g.:

-----BEGIN MY CERTIFICATE-----
-----END MY CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
-----END INTERMEDIATE CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
-----END INTERMEDIATE CERTIFICATE-----
-----BEGIN ROOT CERTIFICATE-----
-----END ROOT CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

Restart, and test with openssl s_client -connect 127.0.0.1:443 -servername www.transloadit.com |head.

It should return the correct certificate information.

Edit: I just found this tutorial via HackerNews: https://serversforhackers.com/c/using-ssl-certificates-with-haproxy. Thought it would be useful to add as it goes into more detail.

edited Sep 04 '17 at 18:18

answered Mar 06 '13 at 14:18

kvz

5,517
1
42
33

ill try, but can you tell me my certs order, https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1209 – Novkovski Stevo Bato Mar 06 '13 at 18:09
It isn't necessary to send the root certificate as either the client has it in its trust store, or it won't be trusted. – Jason Martin Jul 26 '16 at 21:54
@kvz the link is no longer available – carla Sep 04 '17 at 14:28
@carla thanks, updated https://serversforhackers.com/c/using-ssl-certificates-with-haproxy – kvz Sep 04 '17 at 18:18
@kvz why do we have intermediate certificate twice? – Jordan Borisov Feb 04 '22 at 13:00
1

@JordanBorisov to indicate you can have many intermediates – kvz Feb 07 '22 at 19:42

score 0 · Answer 2 · answered Oct 27 '13 at 16:08

Sorry I am not sure which version of haproxy is the USE_OPENSSL option available ... I cant find that option in my codebase is V 1.4.24

Valid USE_* options are the following. Most of them are automatically set by
# the TARGET, others have to be explictly specified :
#   USE_CTTPROXY         : enable CTTPROXY on Linux (needs kernel patch).
#   USE_DLMALLOC         : enable use of dlmalloc (see DLMALLOC_SRC) patch).
#   USE_EPOLL            : enable epoll() on Linux 2.6. Automatic. patch).
#   USE_GETSOCKNAME      : enable getsockname() on Linux 2.2. Automatic. patch).
#   USE_KQUEUE           : enable kqueue() on BSD. Automatic. patch).
#   USE_MY_EPOLL         : redefine epoll_* syscalls. Automatic. patch).
#   USE_NETFILTER        : enable netfilter on Linux. Automatic.patch).
#   USE_PCRE             : enable use of libpcre for regex. Recommended.patch).
#   USE_POLL             : enable poll(). Automatic.patch).
#   USE_REGPARM          : enable regparm optimization. Recommended on x86.patch).
#   USE_SEPOLL           : enable speculative epoll(). Automatic.patch).
#   USE_STATIC_PCRE      : enable static libpcre. Recommended.patch).
#   USE_TPROXY           : enable transparent proxy. Automatic. patch).
#   USE_LINUX_TPROXY     : enable full transparent proxy. Automatic. patch).
#   USE_LINUX_SPLICE     : enable kernel 2.6 splicing. Automatic. patch).
#   USE_LIBCRYPT         : enable crypted passwords using -lcrypt patch).
#   USE_CRYPT_H          : set it if your system requires including crypt.h

try 1.5+ version not 1.4+. However 1.5 is still "dev" version, but its works fine for me in production — Novkovski Stevo Bato, Oct 27 '13 at 17:26

Haproxy ssl configuration - install root and intermediate certificate

2 Answers2