I git cloned haproxy and compiled it : root@mail:~/haproxy# ./haproxy --version HAProxy version 2.9-dev8-ce7501-38 2023/11/04 - https://haproxy.org/ Status: development branch - not safe for use in production. Known bugs: https://github.com/haproxy/haproxy/issues?q=is:issue+is:open Running on: Linux 5.15.0-88-generic #98-Ubuntu SMP Mon Oct 2 15:18:56 UTC 2023 x86_64 Usage : haproxy [-f <cfgfile|cfgdir>]* [ -vdVD ] [ -n <maxconn> ] [ -N <maxpconn> ]
Probably this is not what I want? Better 2.8 stable? I compiled with make TARGET=linux-glibc -- Christoph > Am 04.11.2023 um 08:42 schrieb Christoph Kukulies <k...@kukulies.org>: > > I was informed off list, that putting the ssl-skip-self-issued-ca inline like > I > did, would make haproxy fila on the config. > > It doesn't do so on me here with my config. > As mentioned, my haproxy is 2.4.22. This is what I got with ubuntu apt > install. > > How does one install haproxy directly under Ubuntu, also to be more up to > date? > > -- > Christoph > > >> Am 03.11.2023 um 09:49 schrieb Christoph Kukulies <k...@kukulies.org >> <mailto:k...@kukulies.org>>: >> >> Thanks, Shawn, >> >> I always have my problems with the open form of the configuration file >> syntax (lua ?). >> The docs say it is a keyword under "crt" which in turn belongs to the "bind" >> options. >> >> Would it be correct to place it that way?: >> >> frontend http-in >> bind *:80 >> bind *:443 ssl crt /etc/haproxy/fullchain.pem crt ssl-skip-self-issued-ca >> >> >>> Am 03.11.2023 um 03:50 schrieb Shawn Heisey <hapr...@elyograg.org >>> <mailto:hapr...@elyograg.org>>: >>> >>> On 11/2/2023 02:35, Christoph Kukulies wrote: >>>> In /etc/letsencrypt/live/www.mydomain.org <http://www.mydomain.org/> I >>>> have: >>>> lrwxrwxrwx 1 root root 41 Oct 23 17:22 *cert.pem*-> >>>> ../../archive/www.mydomain.org/cert12.pem >>>> <http://www.mydomain.org/cert12.pem> <http://www.mydomain.org/cert12.pem >>>> <http://www.mydomain.org/cert12.pem>> >>>> lrwxrwxrwx 1 root root 42 Oct 23 17:22 *chain.pem*-> >>>> ../../archive/www.mydomain.org/chain12.pem >>>> <http://www.mydomain.org/chain12.pem> <http://www.mydomain.org/chain12.pem >>>> <http://www.mydomain.org/chain12.pem>> >>>> lrwxrwxrwx 1 root root 46 Oct 23 17:22 *fullchain.pem*-> >>>> ../../archive/www.mydomain.org/fullchain12.pem >>>> <http://www.mydomain.org/fullchain12.pem> >>>> <http://www.mydomain.org/fullchain12.pem >>>> <http://www.mydomain.org/fullchain12.pem>> >>>> lrwxrwxrwx 1 root root 13 Nov 1 12:12 *fullchain.pem.key*-> fullchain.pem >>>> lrwxrwxrwx 1 root root 44 Oct 23 17:22 *privkey.pem*-> >>>> ../../archive/www.mydomain.org/privkey12.pem >>>> <http://www.mydomain.org/privkey12.pem> >>>> <http://www.mydomain.org/privkey12.pem >>>> <http://www.mydomain.org/privkey12.pem>> >>>> lrwxrwxrwx 1 root root 11 Nov 1 12:11 *privkey.pem.key*-> privkey.pem >>>> -rw-r--r-- 1 root root 692 Nov 13 2021 README >>>> But note, that the file ending on .key are put there on an expermental >>>> basis, because I read somewhere in the haproxy docs that one could a file >>>> with extension .key >>>> there and haproxy then adds interprets that as the private key. Location >>>> for this hint escaped me for the moment. >>> >>> The link named 'fullchain.pem.key' is not pointing at a key. It is >>> pointing at the fullchain, which as already mentioned, does NOT contain the >>> private key. >>> >>> If you change that symlink to point at privkey.pem instead of >>> fullchain.pem, haproxy might start working. You do not need the >>> privkey.pem.key symlink. >>> >>> If you're going to use the fullchain file in haproxy, then you should also >>> use the ssl-skip-self-issued-ca config that William mentioned so the root >>> cert is not sent to browsers. >>> >>> Thanks, >>> Shawn >>> >> >> -- >> Christoph >> >> >
smime.p7s
Description: S/MIME cryptographic signature