Postarei minha chave privada na íntegra porque é um exemplo para fins de desenvolvimento e depuração.
Este é o processo pelo qual criei meu arquivo PEM:
https://serversforhackers.com/c/using-ssl-certificates-with-haproxy
sudo openssl genrsa -out example.dev.key 1024
sudo openssl req -new -key example.dev.key -out example.dev.csr
sudo openssl x509 -req -days 365 -in example.dev.csr -signkey example.dev.key -out example.dev.crt
sudo cat example.dev.crt example.dev.key | sudo tee example.dev.pem
Este é um certificado autoassinado. O arquivo PEM se parece com isto:
-----BEGIN CERTIFICATE-----
MIICcjCCAdsCFAFD5rYw03KeoC3z95/Ahl2O1x38MA0GCSqGSIb3DQEBCwUAMHgx
CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRAwDgYDVQQHDAdGcmVt
b250MR4wHAYDVQQKDBVFdmVyZXggQ29tbXVuaWNhdGlvbnMxDDAKBgNVBAsMA2Rl
djEUMBIGA1UEAwwLZGV2ZWxvcG1lbnQwHhcNMjAxMjA5MTkwNTAyWhcNMjExMjA5
MTkwNTAyWjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEQMA4G
A1UEBwwHRnJlbW9udDEeMBwGA1UECgwVRXZlcmV4IENvbW11bmljYXRpb25zMQww
CgYDVQQLDANkZXYxFDASBgNVBAMMC2RldmVsb3BtZW50MIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQC8VVayel+HPW7xzmiy4SM/+JlkdUrcy9x8dR4ChxJ4ic+6
FgmsfDu+IE31GfzGBOnPsT+eVGI+0oX4mJpM0axnwdI7U25CrVSOe7pvTaNPlmWc
ptVb/DZQU+JjSna1fUuGU+f+Ile5U6YAuBjWDzfvizF9viGc95pIcpjftQYxTwID
AQABMA0GCSqGSIb3DQEBCwUAA4GBAKp3won6y2Y712spVbxjklzSgYRQCi8aBFZd
Nv3B5YvPg+MXIKCvj9fDdAwqQU1eBj5arF9bL2NixAdT3P+77db3FSPeje5CRd57
tHhRzFb0GSjiW304VI+v/ptfb95jA5CwvAF9uMvNHrTVT8Aln3pldpitvtP5LtpM
qa0iD2xG
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQC8VVayel+HPW7xzmiy4SM/+JlkdUrcy9x8dR4ChxJ4ic+6Fgms
fDu+IE31GfzGBOnPsT+eVGI+0oX4mJpM0axnwdI7U25CrVSOe7pvTaNPlmWcptVb
/DZQU+JjSna1fUuGU+f+Ile5U6YAuBjWDzfvizF9viGc95pIcpjftQYxTwIDAQAB
AoGAVJQes1ixvhKg2IdSDcN+CSSj/rGORUpoYpxWNdxjNy7s0y1CeuvwCJqJaCGb
m3JpbpSzdW+AD6aL8/DUmtsvCUQEg4g49K8j/z942HqatZS3Zuucf7SHzWlvze+N
JDrQabnq53+zAvfqf8+8fhbuRxoanl120kdVcIutPgN38cECQQDsnBpKNRGc6jA8
+lh4KciqQ+32gY7Z+dsSW4i1vufLnTkbS1rO2DL0ruuZzjnOT4FuE7SU4T1N4Qni
3PRNG4PjAkEAy8RuuGWuzULJ7mE/F9SKnYcaugoVNsSMNTwObTytIQtvb66l4M06
Jp/BvLJy5Atys/WzhQ6xXuxR9zmS44QQpQJBAOooirQJ1QZvlZGjR86Tu20VkPi1
uwPpi26de6wx4//T9uIWLyYpPDR+r9clCnwsnrCre7kjN6JNJZWIiZWNt3UCQQCo
fYoMIdBz2+k7mt/f5Zik/2VjNhkqi0Vgc4N+YjDKZTlFAQYap7iQ3YMGdAw6cxjq
o51Ixch2tDRmmA3U4YwdAkBY19AJj4ZwcyfjDs9z7gy4MQcJp+YVNcuTLEd6z5HK
5ECCSy5S0UPwwxleUPUIv/nNrAchTUt5UtlgQuO7arPX
-----END RSA PRIVATE KEY-----
Ok, agora que tenho isso, validei da seguinte maneira. TODAS AS CHAVES TÊM PERMISSÕES DE R/W PARA TODOS OS USUÁRIOS:
https://www.ssl247.com/kb/ssl-certificates/troubleshooting/certificate-matches-private-key
openssl x509 –noout –modulus –in example.dev.crt | openssl md5
openssl rsa –noout –modulus –in example.dev.key | openssl md5
openssl req -noout -modulus -in example.dev.csr | openssl md5
Estou no Ubuntu 20.04 e instalei a chave em /etc/ssl e /etc/haproxy:
http://gagravarr.org/writing/openssl-certs/others.shtml#selfsigned-openssl
$ cd /etc/ssl
$ ln -s example.dev.crt `openssl x509 -hash -noout -in example.dev.crt`.0
ajorona@ajorona-box/etc/haproxy$ ls -l
total 12
drwxr-xr-x 2 root root 4096 Dec 8 17:55 errors
-rw-r--r-- 1 root root 1795 Dec 9 12:28 example.dev.pem
Agora meu arquivo haproxy.cfg tem as seguintes linhas:
bind *:443 ssl crt /etc/haproxy/example.dev.pem
redirect scheme https if !{ ssl_fc }
Eu valido meu haproxy.cfg:
ajorona@ajorona-box:~/server $ haproxy -c -f haproxy.cfg
[ALERT] 343/123930 (114320) : parsing [haproxy.cfg:29] : 'bind *:443' : unable to load SSL certificate from PEM file '/etc/haproxy/example.dev.pem'.
[ALERT] 343/123930 (114320) : Error(s) found in configuration file : haproxy.cfg
[ALERT] 343/123930 (114320) : Fatal errors found in configuration.
ajorona@ajorona-box:~/server $ sudo haproxy -c -f haproxy.cfg
[ALERT] 343/123933 (114444) : parsing [haproxy.cfg:29] : 'bind *:443' : unable to load SSL certificate from PEM file '/etc/haproxy/example.dev.pem'.
[ALERT] 343/123933 (114444) : Error(s) found in configuration file : haproxy.cfg
[ALERT] 343/123933 (114444) : Fatal errors found in configuration.
Passei um dia inteiro nisso, não consigo entender por que isso está acontecendo ...
Responder1
você administrou o problema do certificado. Obtenho o mesmo resultado, meus certificados existem e o acesso a eles também é aberto (sem restrições para o haproxy ler o diretório com SSL cets). Todos os certificados estão no formato PEM e contêm a chave crt. Qualquer ajuda é muito apreciada.