On Mon, Sep 21, 2020 at 11:23:06AM +0200, Marc Antoine Leclercq wrote: > Hi, > > I posted this on the discourse haproxy forum and was asked to post it > here for better visibility : > > We recently switched to haproxy 2.2.2 and we encountered a problem > with the flexibility of ssl-load-extra-files. > > The way we handle certs is as follows: > Public key name is : fqdn.pem > Private key name is : fqdn.key > > Which resulted in No Private Key found in > '/etc/pki/tls/certs/fqdn.pem' or /etc/pki/tls/certs/fqdn.pem.key > > I think it would be interesting if that directive was a little smarter > in the way it deals with file extensions and also tried to strip the > extension from the filename to see if the .key file exists with the > same name. > > Not sure how that would affect performance for HaProxy startup, but > for the moment, we either need to completely revamp the way we deploy > certs, or create a symlink for the key file, to .pem.key in the same > directory if we want to use this feature. > SSL-LOAD-EXTRA-FILES is an excellent feature we’ve been waiting for as > it simplifies our cert deployment, but in its current form It’s not > really usable for us. > > Thank you.
Hello, It was indeed reported multiple times that this feature is not convenient in its current state. Please take a look at this github issue and don't hesitate to comment: https://github.com/haproxy/haproxy/issues/785 I'll update this soon since the subject evolved a little bit from the development team point of view. -- William Lallemand