Re: No Private Key found in '/etc/letsencrypt/live/www.mydomain.org/fullchain.pem.key

Sat, 04 Nov 2023 00:45:46 -0700 

I was informed off list, that putting the ssl-skip-self-issued-ca inline like I 
did, would make haproxy fila on the config.

It doesn't do so on me here with my config.
As mentioned, my haproxy is 2.4.22. This is what I got with ubuntu apt install.

How does one install haproxy directly under Ubuntu, also to be more up to date?

--
Christoph


> Am 03.11.2023 um 09:49 schrieb Christoph Kukulies <k...@kukulies.org>:
> 
> Thanks, Shawn,
> 
> I always have my problems with the open form of the configuration file syntax 
> (lua ?).
> The docs say it is a keyword under "crt" which in turn belongs to the "bind" 
> options.
> 
> Would it be correct to place it that way?:
> 
> frontend http-in
>     bind *:80
>     bind *:443 ssl crt /etc/haproxy/fullchain.pem crt ssl-skip-self-issued-ca
> 
> 
>> Am 03.11.2023 um 03:50 schrieb Shawn Heisey <hapr...@elyograg.org 
>> <mailto:hapr...@elyograg.org>>:
>> 
>> On 11/2/2023 02:35, Christoph Kukulies wrote:
>>> In /etc/letsencrypt/live/www.mydomain.org <http://www.mydomain.org/> I have:
>>> lrwxrwxrwx 1 root root  41 Oct 23 17:22 *cert.pem*-> 
>>> ../../archive/www.mydomain.org/cert12.pem 
>>> <http://www.mydomain.org/cert12.pem> <http://www.mydomain.org/cert12.pem 
>>> <http://www.mydomain.org/cert12.pem>>
>>> lrwxrwxrwx 1 root root  42 Oct 23 17:22 *chain.pem*-> 
>>> ../../archive/www.mydomain.org/chain12.pem 
>>> <http://www.mydomain.org/chain12.pem> <http://www.mydomain.org/chain12.pem 
>>> <http://www.mydomain.org/chain12.pem>>
>>> lrwxrwxrwx 1 root root  46 Oct 23 17:22 *fullchain.pem*-> 
>>> ../../archive/www.mydomain.org/fullchain12.pem 
>>> <http://www.mydomain.org/fullchain12.pem> 
>>> <http://www.mydomain.org/fullchain12.pem 
>>> <http://www.mydomain.org/fullchain12.pem>>
>>> lrwxrwxrwx 1 root root  13 Nov  1 12:12 *fullchain.pem.key*-> fullchain.pem
>>> lrwxrwxrwx 1 root root  44 Oct 23 17:22 *privkey.pem*-> 
>>> ../../archive/www.mydomain.org/privkey12.pem 
>>> <http://www.mydomain.org/privkey12.pem> 
>>> <http://www.mydomain.org/privkey12.pem 
>>> <http://www.mydomain.org/privkey12.pem>>
>>> lrwxrwxrwx 1 root root  11 Nov  1 12:11 *privkey.pem.key*-> privkey.pem
>>> -rw-r--r-- 1 root root 692 Nov 13  2021 README
>>> But note, that the file ending on .key are put there on an expermental 
>>> basis, because I read somewhere in the haproxy docs that one could a file 
>>> with extension .key
>>> there and haproxy then adds interprets that as the private key. Location 
>>> for this hint escaped me for the moment.
>> 
>> The link named 'fullchain.pem.key' is not pointing at a key.  It is pointing 
>> at the fullchain, which as already mentioned, does NOT contain the private 
>> key.
>> 
>> If you change that symlink to point at privkey.pem instead of fullchain.pem, 
>> haproxy might start working.  You do not need the privkey.pem.key symlink.
>> 
>> If you're going to use the fullchain file in haproxy, then you should also 
>> use the ssl-skip-self-issued-ca config that William mentioned so the root 
>> cert is not sent to browsers.
>> 
>> Thanks,
>> Shawn
>> 
> 
> --
> Christoph
> 
>

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to