Wi-Fizzle.com - Putting the fizzle in Wi-Fi since 2005 .. (yes, this was a poor choice for a domain name)

<div class="news_item">#468<div class="news_title">SSL Quest: HAProxy 1.5.x with SSL

Posted by dandriff on Tuesday November 06, 2012@08:11PM

NB: These notes have not yet been organized.

[ALERT] 311/003724 (26469) : Proxy 'frontend_api_https': unable to load SSL private key from file '/etc/haproxy/certs/final.crt' in bind '' at [/etc/haproxy/haproxy.cfg:48].
[ALERT] 311/003724 (26469) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 311/003724 (26469) : Proxy 'frontend_api_https': no SSL certificate specified for bind '' at [/etc/haproxy/haproxy.cfg:48] (use 'crt').

unable to load SSL certificate from PEM file '/etc/haproxy/certs/private.key'.

haproxy "no SSL certificate specified for bind"

OpenSSL error code 336236705

I decided to create my own test with just the problematic part of the code to help isolate the problem. This turned out to be good in the end, but was bore no fruit directly.

Useful documentation on the failing 'SSL_CTX_use_PrivateKey_file' function: http://publib.boulder.ibm.com/infocenter/tpfhelp/current/index.jsp?topic=%2Fcom.ibm.ztpf-ztpfdf.doc_put.cur%2Fgtpc2%2Fcpp_ssl_ctx_use_privatekey_file.html:

I got lost in the bushes looking at things such as http://linux.die.net/man/3/err_reason_error_string

Not much good came from this approach.

It turns out there are no less than 4 different possible formats for PEM files:


I found this thanks to http://www.apsis.ch/pound/pound_list/archive/2012/2012-09/1348737381000/index_html?fullMode=1 which I found by searching for "SSL_CTX_use_PrivateKey_file".

So, it turns out that the problem was 100% due to needing a certain format of PEM file to appease openssl (in this case, it was the "Creating a .pem to include your private key and entire trust chain" style which was required).

One additional source of information about PEM files: http://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file

Oh joy- the great SSL racket.