On 11/2/2023 02:35, Christoph Kukulies wrote:
In /etc/letsencrypt/live/www.mydomain.org I have:
lrwxrwxrwx 1 root root 41 Oct 23 17:22 *cert.pem*->
../../archive/www.mydomain.org/cert12.pem
<http://www.mydomain.org/cert12.pem>
lrwxrwxrwx 1 root root 42 Oct 23 17:22 *chain.pem*->
../../archive/www.mydomain.org/chain12.pem
<http://www.mydomain.org/chain12.pem>
lrwxrwxrwx 1 root root 46 Oct 23 17:22 *fullchain.pem*->
../../archive/www.mydomain.org/fullchain12.pem
<http://www.mydomain.org/fullchain12.pem>
lrwxrwxrwx 1 root root 13 Nov 1 12:12 *fullchain.pem.key*-> fullchain.pem
lrwxrwxrwx 1 root root 44 Oct 23 17:22 *privkey.pem*->
../../archive/www.mydomain.org/privkey12.pem
<http://www.mydomain.org/privkey12.pem>
lrwxrwxrwx 1 root root 11 Nov 1 12:11 *privkey.pem.key*-> privkey.pem
-rw-r--r-- 1 root root 692 Nov 13 2021 README
But note, that the file ending on .key are put there on an expermental
basis, because I read somewhere in the haproxy docs that one could a
file with extension .key
there and haproxy then adds interprets that as the private key. Location
for this hint escaped me for the moment.
The link named 'fullchain.pem.key' is not pointing at a key. It is
pointing at the fullchain, which as already mentioned, does NOT contain
the private key.
If you change that symlink to point at privkey.pem instead of
fullchain.pem, haproxy might start working. You do not need the
privkey.pem.key symlink.
If you're going to use the fullchain file in haproxy, then you should
also use the ssl-skip-self-issued-ca config that William mentioned so
the root cert is not sent to browsers.
Thanks,
Shawn