SSL certs

Discussion:

SSL certs

Azim Siddiqui

2018-11-27 01:53:54 UTC

Hello,

Hope you are doing good. We are using HAproxy in our company. But the ssl certs has been expired. I want to renew it. As i can see HAproxy only takes .pem format for certs. So what files should be included in that .pem file ? And can you please tell me how to convert the certs in .pem ?

Thanks & Regards,
Azeem

Alberto Oliveira

2018-11-27 03:43:41 UTC

Permalink

Hello Azim,

HAproxy itself doesn't manage ssl certs so you should already have one, buy
one or generate one for free using Let's Encrypt (https://letsencrypt.org/).

You can find multiple sources to guide you on how to use ssl certs on
haproxy:
https://serversforhackers.com/c/using-ssl-certificates-with-haproxy
https://serverfault.com/q/560978/241849
https://gist.github.com/sethwebster/b48d7c872fe397c1db11

Basically you have to concatenate your certs and key to generate a pem file
that's valid for haproxy. They don't really need to be converted for this,
just concatenated.

For example, if you've bought your wildcard cert from comodo, it would go
like this:
cat STAR_your_domain.crt COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt STAR_your_domain.key >
STAR_your_domain.pem

Or if you generated the certs using let's encrypt you would have to only
concatenate two files:
cat fullchain.pem privkey.pem > your_domain.pem

Although it seems complicated at first, it's simple once you go through
with it.
Does that make sense to you? Please feel free to reply with any problem you
encounter or to tell us if this solves your issue.

Best regards,
Alberto

Post by Azim Siddiqui
Hello,
Hope you are doing good. We are using HAproxy in our company. But the ssl
certs has been expired. I want to renew it. As i can see HAproxy only takes
.pem format for certs. So what files should be included in that .pem file ?
And can you please tell me how to convert the certs in .pem ?
Thanks & Regards,
Azeem

Norman Branitsky

2018-11-27 16:55:49 UTC

Permalink

Alberto wrote:
For example, if you've bought your wildcard cert from comodo, it would go like this:

cat STAR_your_domain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt STAR_your_domain.key > STAR_your_domain.pem

I donât believe you should include the Comodo Root certificate (or any root certificate) in your HAProxy certificate file.
You would just be wasting the clientâs time downloading this certificate as they will never trust a root certificate delivered by your application.
SSLLabs will report a âChain Issueâ if it detects a root certificate in the HAProxy configuration:
https://community.qualys.com/thread/15724
https://www.ssllabs.com/ssltest/analyze.html

From: Alberto Oliveira <***@gmail.com>
Sent: Monday, November 26, 2018 10:44 PM
To: ***@gmail.com
Cc: ***@formilux.org
Subject: Re: SSL certs

Hello Azim,

HAproxy itself doesn't manage ssl certs so you should already have one, buy one or generate one for free using Let's Encrypt (https://letsencrypt.org/).

You can find multiple sources to guide you on how to use ssl certs on haproxy:
https://serversforhackers.com/c/using-ssl-certificates-with-haproxy
https://serverfault.com/q/560978/241849
https://gist.github.com/sethwebster/b48d7c872fe397c1db11

Basically you have to concatenate your certs and key to generate a pem file that's valid for haproxy. They don't really need to be converted for this, just concatenated.

For example, if you've bought your wildcard cert from comodo, it would go like this:
cat STAR_your_domain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt STAR_your_domain.key > STAR_your_domain.pem

Or if you generated the certs using let's encrypt you would have to only concatenate two files:
cat fullchain.pem privkey.pem > your_domain.pem

Although it seems complicated at first, it's simple once you go through with it.
Does that make sense to you? Please feel free to reply with any problem you encounter or to tell us if this solves your issue.
Best regards,
Alberto

On Mon, 26 Nov 2018 at 23:54, Azim Siddiqui <***@gmail.com<mailto:***@gmail.com>> wrote:
Hello,

Hope you are doing good. We are using HAproxy in our company. But the ssl certs has been expired. I want to renew it. As i can see HAproxy only takes .pem format for certs. So what files should be included in that .pem file ? And can you please tell me how to convert the certs in .pem ?

Thanks & Regards,
Azeem

Johan Hendriks

2018-11-29 09:19:09 UTC

Permalink

Post by Azim Siddiqui
Hello,
Hope you are doing good. We are using HAproxy in our company. But the ssl certs has been expired. I want to renew it. As i can see HAproxy only takes .pem format for certs. So what files should be included in that .pem file ? And can you please tell me how to convert the certs in .pem ?
Thanks & Regards,
Azeem

To create a .pem file you need to create a file with all the certs an keys.

-----BEGIN RSA PRIVATE KEY-----
 (Your Private Key: your_domain_name.key)
 -----END RSA PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
 (Your Primary SSL certificate: your_domain_name.crt)
 -----END CERTIFICATE-----  
-----BEGIN CERTIFICATE-----
 (Your Intermediate certificate: your_domain_name.bundle)  
-----END CERTIFICATE-----  
 

You can do it with cat
# cat your_domain_name.key your_domain_name.crt your_domain_name.bundle

Post by Azim Siddiqui
your_domain_name.pem

regards
Johan

Continue reading on narkive:

Search results for 'SSL certs' (Questions and Answers)

replies

do i need an SSL certificate when using paypal or google checkout?

started 2010-12-21 06:20:44 UTC

security

replies

How does SSL work?

started 2016-05-03 14:53:09 UTC

computer networking