Dear,
Thanks a lot for your reply which I followed and produced the following:
[root@haproxy ~]# ll /etc/haproxy/certs/
total 88
-rw-r--r-- 1 root root 1960 Sep 3 00:46 ca2.crt
-rw-r--r-- 1 root root 3243 Sep 3 00:46 ca2.key
-rw-r--r-- 1 root root 1048 Sep 3 00:46 ca_crl.pem
-rw-r--r-- 1 root root 2029 Sep 3 00:46 ca.crt
-rw-r--r-- 1 root root 3243 Sep 3 00:46 ca.key
-rw-r--r-- 1 root root 3989 Sep 3 00:46 ca.pem
-rw-r--r-- 1 root root 1342 Sep 3 00:46 client1.crt
-rw-r--r-- 1 root root 660 Sep 3 00:46 client1.csr
-rw-r--r-- 1 root root 887 Sep 3 00:46 client1.key
-rw-r--r-- 1 root root 1342 Sep 3 00:46 client2.crt
-rw-r--r-- 1 root root 660 Sep 3 00:46 client2.csr
-rw-r--r-- 1 root root 887 Sep 3 00:46 client2.key
-rw-r--r-- 1 root root 1306 Sep 3 00:46 client_company.crt
-rw-r--r-- 1 root root 660 Sep 3 00:46 client_company.csr
-rw-r--r-- 1 root root 887 Sep 3 00:46 client_company.key
-rw-r--r-- 1 root root 1342 Sep 3 00:46 client_expired.crt
-rw-r--r-- 1 root root 660 Sep 3 00:46 client_expired.csr
-rw-r--r-- 1 root root 887 Sep 3 00:46 client_expired.key
-rw-r--r-- 1 root root 1342 Sep 3 00:46 server.crt
-rw-r--r-- 1 root root 660 Sep 3 00:46 server.csr
-rw-r--r-- 1 root root 891 Sep 3 00:46 server.key
-rw-r--r-- 1 root root 2233 Sep 3 00:46 server.pem
But when I restarted the haproxy , I got the following error:
[root@haproxy haproxy]# service haproxy restart
[ALERT] 245/025407 (2270) : parsing [/etc/haproxy/haproxy.cfg:71] : 'bind
*:443' : unable to load SSL private key from PEM file
'/etc/haproxy/certs/ca_crl.pem'.
[ALERT] 245/025407 (2270) : Error(s) found in configuration file :
/etc/haproxy/haproxy.cfg
[ALERT] 245/025407 (2270) : Proxy 'https_frontend': no SSL certificate
specified for bind '*:443' at [/etc/haproxy/haproxy.cfg:71] (use 'crt').
[ALERT] 245/025407 (2270) : Fatal errors found in configuration.
Errors in configuration file, check with haproxy check.
Thanks for your help my friend
Rezhna
-Original Message-
From: Baptiste [mailto:bed...@gmail.com]
Sent: Monday, September 2, 2013 10:41 PM
To: Nick Jennings
Cc: Rezhna Hoshyar; Lukas Tribus; haproxy@formilux.org
Subject: Re: https with haproxy
Rezhna,
You can start with a script I used when I wrote some blog articles about
HAProxy and SSL:
https://github.com/exceliance/haproxy/tree/master/blog/ssl_client_certificate_management_at_application_level
You'll be able to generate selfsigned certificates.
Good luck,
Baptiste
On Mon, Sep 2, 2013 at 2:59 PM, Nick Jennings wrote:
> http://www.startssl.com
>
>
>
> On Mon, Sep 2, 2013 at 2:51 PM, Rezhna Hoshyar
>
> wrote:
>>
>> Dear,
>>
>> Could you please tell me how I can get free ssl certificate as I
>> tried many ways mentioned on Internet , but none of them were useful
>>
>> Rezhna
>>
>> -Original Message-
>> From: Baptiste [mailto:bed...@gmail.com]
>> Sent: Sunday, September 1, 2013 9:44 PM
>> To: Rezhna Hoshyar
>> Cc: Lukas Tribus; haproxy@formilux.org
>> Subject: Re: https with haproxy
>>
>> Hi Rezhna,
>>
>> Use the "http-request redirect scheme" to do this, as example:
>> http-request redirect scheme https if ! { ssl_fc }
>>
>> It will force HTTPs whatever the hostname is.
>> As Lukas stated, you have to own the certificate and the frontend /
>> backend must be in mode http.
>>
>> Baptiste
>>
>>
>>
>> On Sun, Sep 1, 2013 at 4:56 PM, Rezhna Hoshyar
>>
>> wrote:
>> >
>> > Hi,
>> >
>> > Actually we want to apply it for our company web sites.
>> >
>> > Rezhna
>> >
>> > -Original Message-
>> > From: Lukas Tribus [mailto:luky...@hotmail.com]
>> > Sent: Sunday, September 1, 2013 5:44 PM
>> > To: Rezhna Hoshyar
>> > Cc: haproxy@formilux.org
>> > Subject: RE: https with haproxy
>> >
>> > Hi,
>> >
>> >> My question is about how to use https with haproxy , not avoiding it.
>> >
>> > Compile haproxy 1.5 with SSL support and enable it. You can find
>> > details in doc/ and some generic examples in examples/.
>> >
>> >
>> >
>> >> I can use haproxy to redirect http://google.com to
>> >> http://yahoo.com, but I cannot do that with https://google.com.
>> >
>> > Well, do you have a certificate for google.com (or whatever website
>> > you need to redirect)? You cannot do this without a valid
>> > certificate, otherwise HTTPS would not make any sense.
>> >
>> >
>> >
>> > Regards,
>> >
>> > Lukas
>> >
>> > --
>> > This message has been scanned for viruses and dangerous content by
>> > MailScanner, and is believed to be clean.
>> >
>> >
>>
>> --
>> This message has been scanned for viruses and dangerous content by
>> MailScanner, and is believed to be clean.
>>
>>
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.