Configuring an SSL Certificate on a HAProxy Load Balancer

by | Jul 16, 2014 | HAProxy, Linux | 1 comment

We recently started using new Load Balancers called HAProxy. It was a bit of a learning curve for me as I think of myself as more of a Windows Admin!

We do a lot of hosting so generating an SSL certificate is a common request. Prereqs for this solution are Putty and WinSCP.

1. SSH to HAProxy using putty.

2. Enter the following command to generate the CSR file

openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout yourdomain.key -out yourdomain.csr

3. You will be prompted to enter information about the cert.

SSL1

4. At this point you might want to check your CSR to make sure you didn’t make any mistakes. I made a typo once and this caused me some issues down the line!

openssl req -text -noout -verify -in  yourdomain.csr

check

5. Next Cat the contents of the file to screen.

cat yourdomain.csr

cat csr

6. Copy the contents and use this to request a certificate from a Public CA. I used Comodo, but you can use any public CA.

7. Once you have received your certificate back from the CA you need to copy the files to the Load Balancer using WinSCP. Copy the files to your home directory.

8. The next step is to compile all the relevant files into a .pem file. The file needs to contain the Private key, Certificate & the CA Bundle (or individual intermediate & root certs)

It is vital that the pem file has all the required certificates in the correct order. The order is as follows:

—–BEGIN RSA PRIVATE KEY—–

(Your Private Key: your_domain_name.key) —

–END RSA PRIVATE KEY—–

—–BEGIN CERTIFICATE—–

(Your Primary SSL certificate:

your_domain_name.crt)

—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–

(Your Intermediate certificate: DigiCertCA.crt)

—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–

(Your Root

certificate: TrustedRoot.crt)

—–END CERTIFICATE—–

cat yourdomain.key >> yourdomain.pem
cat yourdomain.crt >> yourdomain.pem
cat yourdomain.ca-bundle >> yourdomain.pem
cat pem

9. Check the PEM file is working by running the following command:

openssl verify yourdomain_com.pem

The command should return some information about the cert. If it returns an error you know something is wrong!

10. Next we need to copy the file to following location: /etc/haproxy/certs

sudo mv /home/yourusername/yourdomain.pem /etc/haproxy/certs

11. The final process is to edit the HAProxy config file. We need to a bind a new IP address on port 443 to our certificate .pem file on the Front End of the Load Balancer.

cd /etc/haproxy
ls -lh

You can take a look at the config first to familiarize yourself:

cat haproxy.cfg

For best practice, backup the haproxy.cfg file first so that you can easily restore after an error:

sudo cp haproxy.cfg haproxy{INSERT DATE HERE}.cfg

To restore you can use the same command:

cp haproxy14102015.cfg haproxy.cfg

To edit use vi editor:

sudo vi haproxy.cfg

type i – to insert a line

when finished press ESC then :wq – to save and quit

I inserted the following line:

bind            10.0.0.1:443 ssl crt /etc/haproxy/certs/mydomain.pem

config

Before the changes will take effect you have to restart the HAProxy service. To be safe it’s best to verify your file before you reload or the load balancer might not start!

haproxy -f /etc/haproxy/haproxy.cfg -c

verify

Now we can restart:

sudo service haproxy restart
sudo service haproxy status

restart

At this point I like to back up the haproxy.config file and certificate .pem

You should now be done! Make sure you test the SSL functions as expected:

https://www.sslshopper.com/ssl-checker.html
https://www.ssllabs.com/ssltest/

Useful page with configuration & troubleshooting commands:

https://www.sslshopper.com/article-most-common-openssl-commands.html

1 Comment

  1. pranav
    pranav on October 29, 2017 at 17:34

    Thank you so much. exactly what i needed.

    Reply

Trackbacks/Pingbacks

  1. SSL Cert Compilation into pem file * Security Howto - […] This article explains in more detail that the order should be the following… […]

Submit a Comment

Your email address will not be published. Required fields are marked *

We use cookies to give you the best online experience. By agreeing you accept the use of cookies in accordance with our cookie policy.

I accept I decline
Cookie Policy
Privacy Settings saved!
Privacy Settings

When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. Control your personal Cookie Services here.

Necessary Privacy Center Privacy Policy Cookie Policy
These cookies are necessary for the website to function and cannot be switched off in our systems.
Technical Cookies
In order to use this website we use the following technically required cookies
  • wordpress_test_cookie
  • wordpress_logged_in_
  • wordpress_sec
Decline all Services
Accept all Services