Login/Register
haproxy: inconsistencies between private key and certificate loaded from PEM file
Asked Answered
Solved sslhaproxy
U

1

18

I am trying to use certificate signed for another server. I have both private key and certificate.

My PEM file order is :

subject=/C=***/L=*****/O=**********/CN=*********
issuer=/C=***/O=*****Inc/CN=********Secure Server CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=/C=US/O=******** Inc/CN=********* SHA2 Secure Server CA
issuer=/C=US/O=********* Inc/OU=*********/CN=******** Global Root CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=/C=US/O=********* Inc/OU=***********/CN=*********** Global Root CA
issuer=/C=US/O=********* Inc/OU=************/CN=******** Global Root CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

When i tried to deploy it to my haproxy, i got this error.

[ALERT] 188/141626 (2322) : parsing [/etc/haproxy/haproxy.cfg:32] : 'bind *:443' : inconsistencies between private key and certificate loaded from PEM file ................
[ALERT] 188/141626 (2322) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 188/141626 (2322) : Proxy 'www-https': no SSL certificate specified for bind '*:443' at [/etc/haproxy/haproxy.cfg:32] (use 'crt').
[ALERT] 188/141626 (2322) : Fatal errors found in configuration.
Errors in configuration file, check with haproxy check.

And my haproxy version is:

HA-Proxy version 1.5.2 2014/07/12
Copyright 2000-2014 Willy Tarreau <[email protected]>

I can start my haproxy with self-signed cert. Why does occur this inconsistency? I am sure that private key belongs to certificate.

I'm trying for hours now but I can not find the reason.

Please help! Thank you!

Ulrika answered 8/7, 2015 at 11:24 Comment(1)
I had a similar issue recently. I discovered that the private key and the certificate didn't match, so HA Proxy was right to raise that error. I followed the steps from here to verify the match: sslshopper.com/certificate-key-matcher.html You have probably already solved your issue but I wanted to post this comment as it might be useful for other people.Synapse
S
36

The order of the certificates in your file is wrong. It seems you are putting the intermediate certificate (i.e. Secure Server CA) first which is thus expected to be the server certificate. The order of the certificates needs to be:

  • server certificate
  • server private key (without any password)
  • intermediate certificate 1
  • intermediate certificate 2

It's actually not that important where you put the private key. However, the order of the certificates strictly needs to be ordered from leaf to root, i.e. first the server certificate, then the intermediate, then it's parent. Basically, you put the server certificate first, then its signer, then its signer, ...

For more information, please refer to the documentation.

Statist answered 13/7, 2015 at 12:15 Comment(2)
There is no problem putting the private key first. That works just fine.Limber
In case this answer doesn't solve your problem, you might want to try to remove the passphrase from the private key. It solved the problem for me. To remove the password, try 'openssl rsa -in [PRIVATE_KEY_FILE] -out nopassphrase.key'Whitman

© 2022 - 2024 — McMap. All rights reserved.