Posted by dandriff on Tuesday November 06, 2012@08:11PM
NB: These notes have not yet been organized.
[ALERT] 311/003724 (26469) : Proxy 'frontend_api_https': unable to load SSL private key from file '/etc/haproxy/certs/final.crt' in bind '0.0.0.0:443' at [/etc/haproxy/haproxy.cfg:48].
[ALERT] 311/003724 (26469) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 311/003724 (26469) : Proxy 'frontend_api_https': no SSL certificate specified for bind '0.0.0.0:443' at [/etc/haproxy/haproxy.cfg:48] (use 'crt').
unable to load SSL certificate from PEM file '/etc/haproxy/certs/private.key'.
haproxy "no SSL certificate specified for bind"
OpenSSL error code 336236705
I decided to create my own test with just the problematic part of the code to help isolate the problem. This turned out to be good in the end, but was bore no fruit directly.
Useful documentation on the failing 'SSL_CTX_use_PrivateKey_file' function: http://publib.boulder.ibm.com/infocenter/tpfhelp/current/index.jsp?topic=%2Fcom.ibm.ztpf-ztpfdf.doc_put.cur%2Fgtpc2%2Fcpp_ssl_ctx_use_privatekey_file.html:
I got lost in the bushes looking at things such as http://linux.die.net/man/3/err_reason_error_string
Not much good came from this approach.
It turns out there are no less than 4 different possible formats for PEM files:
I found this thanks to http://www.apsis.ch/pound/pound_list/archive/2012/2012-09/1348737381000/index_html?fullMode=1 which I found by searching for "SSL_CTX_use_PrivateKey_file".
So, it turns out that the problem was 100% due to needing a certain format of PEM file to appease openssl (in this case, it was the "Creating a .pem to include your private key and entire trust chain" style which was required).
One additional source of information about PEM files: http://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file
Oh joy- the great SSL racket.