Thanks, Shawn, I always have my problems with the open form of the configuration file syntax (lua ?). The docs say it is a keyword under "crt" which in turn belongs to the "bind" options.
Would it be correct to place it that way?: frontend http-in bind *:80 bind *:443 ssl crt /etc/haproxy/fullchain.pem crt ssl-skip-self-issued-ca > Am 03.11.2023 um 03:50 schrieb Shawn Heisey <hapr...@elyograg.org>: > > On 11/2/2023 02:35, Christoph Kukulies wrote: >> In /etc/letsencrypt/live/www.mydomain.org I have: >> lrwxrwxrwx 1 root root 41 Oct 23 17:22 *cert.pem*-> >> ../../archive/www.mydomain.org/cert12.pem >> <http://www.mydomain.org/cert12.pem> >> lrwxrwxrwx 1 root root 42 Oct 23 17:22 *chain.pem*-> >> ../../archive/www.mydomain.org/chain12.pem >> <http://www.mydomain.org/chain12.pem> >> lrwxrwxrwx 1 root root 46 Oct 23 17:22 *fullchain.pem*-> >> ../../archive/www.mydomain.org/fullchain12.pem >> <http://www.mydomain.org/fullchain12.pem> >> lrwxrwxrwx 1 root root 13 Nov 1 12:12 *fullchain.pem.key*-> fullchain.pem >> lrwxrwxrwx 1 root root 44 Oct 23 17:22 *privkey.pem*-> >> ../../archive/www.mydomain.org/privkey12.pem >> <http://www.mydomain.org/privkey12.pem> >> lrwxrwxrwx 1 root root 11 Nov 1 12:11 *privkey.pem.key*-> privkey.pem >> -rw-r--r-- 1 root root 692 Nov 13 2021 README >> But note, that the file ending on .key are put there on an expermental >> basis, because I read somewhere in the haproxy docs that one could a file >> with extension .key >> there and haproxy then adds interprets that as the private key. Location for >> this hint escaped me for the moment. > > The link named 'fullchain.pem.key' is not pointing at a key. It is pointing > at the fullchain, which as already mentioned, does NOT contain the private > key. > > If you change that symlink to point at privkey.pem instead of fullchain.pem, > haproxy might start working. You do not need the privkey.pem.key symlink. > > If you're going to use the fullchain file in haproxy, then you should also > use the ssl-skip-self-issued-ca config that William mentioned so the root > cert is not sent to browsers. > > Thanks, > Shawn > -- Christoph
smime.p7s
Description: S/MIME cryptographic signature