Haproxy wants privkey in fullchain.pem.key

In /var/log/syslog I find during startup of haproxy:

No Private Key found in '/etc/letsencrypt/live/www.mydomain.org/fullchain.pem.key

Did you follow a guide to install that cert into HAProxy?

Have you searched their community forum?
HAProxy - (reddit.com)


It used to work in my previous system but recently I migrated to a newer version of Ubuntu/server.

I'm subscribed to haproxy@formilux.org. Could of course ask there.

1 Like

Review your notes.
I don't use HAProxy; But from the error message, it seems like you may need to:

  • change the way HAProxy uses the cert
  • combine the cert with the key [into a new file and use that instead]

That may be your best bet.

This forum is more for help with all things related to getting and renewing certs.
It doesn't look like you are having any trouble with any of that.


Redirect HTTP to HTTPS in a Few Easy Steps with HAProxy


Thanks for looking it up for me.
Actually this is odd and requires extra scripting after certbot renewal.
And in addition it seem dangerous exposing my private key to an application. Who knows who can peek into memory and read out my private key.

Every process that encrypts must have the private key to do so.

Do you have any notes from the previous use?


I only have the line in the config file, which clearly show that I was just using
the fullchain.

 bind *:443 ssl crt /etc/letsencrypt/live/www.mydomain.org/fullchain.pem

What was in the previous working system?


Has this never worked?
If this ever did work, then you must have combined the key with the cert and fed that to HAProxy.

FYI: The fullchain.pem file doesn't include the key - it never has.


Actually I'm not sure now. I will revise the whole process of setting up the configuration.
Thanks for helping here.


I solved the issue:

I created an /etc/letsencrypt/renewal-hooks/post/haproxy containing the

cat /etc/letsencrypt/live/www.mydomain.org/fullchain.pem > /etc/haproxy/fullchain.pem
cat /etc/letsencrypt/live/www.mydomain.org/privkey.pem >> /etc/haproxy/fullchain.pem

echo "ssl file for haproxy updated"

And in haproxy.cfg I have:

bind *:443 ssl crt /etc/haproxy/fullchain.pem crt ssl-skip-self-issued-ca
1 Like

You might want to use the /etc/letsencrypt/renewal-hooks/deploy directory.

Note that all certificates will make use of this script. It's also possible to use the --deploy-hook Certbot option to use the script for specific certificates.

Using --deploy-hook (or the corresponding directory) also gives you the option to use the RENEWED_LINEAGE environment variable inside the script instead of hardcoding the lineage (=certificate) path.

See the User Guide — Certbot 2.6.0 documentation for information about --deploy-hook et cetera.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.