On Wed, Nov 01, 2023 at 03:48:56PM -0600, Shawn Heisey wrote: > The LE fullchain file does not contain the key. It contains 3 > certificates. ... the server cert, the issuing cert, and the root cert > ... which is not what you want. For letsencrypt, the file that you give > to haproxy must contain the server cert, the issuing cert, and the > private key.
Actually you can separate the key from the chain with haproxy, but without the configuration it's difficult to know what it's trying to load. http://docs.haproxy.org/2.8/configuration.html#ssl-load-extra-files With the 'key' option it's able to load a 'file.pem.key' if you specified 'crt file.pem' in your configuration > You do not want to include the root certificate. It will be ignored > by the browser even if it is included, but it will probably slow down > TLS negotiation by a small amount. The presence of the root > certificate in the TLS handshake should not actually break anything in > most cases, but it could result in a lower score on the Qualys Labs > SSL test. > You can also ask haproxy to ignore the root CA in the configuration: http://docs.haproxy.org/2.8/configuration.html#ssl-skip-self-issued-ca > When my renewal script finishes, I have a file containing four things: > The server cert, the issuing cert, the private key, and a unique 4096 > bit DHPARAM. This combination is ideal for haproxy. > > The version of certbot that I am using generates 256-bit ECDSA keys by > default. You might be thinking that a 256 bit ECDSA key cannot be as > secure as a 2048 bit RSA key, but that is incorrect: > > https://www.baeldung.com/cs/encryption-asymmetric-algorithms#3-key-length > > Some of the equipment I use will not work with ECDSA keys, so I have a > second cert with a subset of names that I build using 4096 bit RSA. > There is a lot of possibility to configure this, we are trying to move forward to a configuration where we can specifiy files separately so there would be nothing to do in the future, but unfortunately there is still development to do. -- William Lallemand
