In /var/log/syslog I find during startup of haproxy:
No Private Key found in '/etc/letsencrypt/live/www.mydomain.org/fullchain.pem.key
Did you follow a guide to install that cert into HAProxy?
Have you searched their community forum?
HAProxy - (reddit.com)
3 Likes
It used to work in my previous system but recently I migrated to a newer version of Ubuntu/server.
I'm subscribed to haproxy@formilux.org. Could of course ask there.
1 Like
Review your notes.
I don't use HAProxy; But from the error message, it seems like you may need to:
- change the way HAProxy uses the cert
OR - combine the cert with the key [into a new file and use that instead]
3 Likes
That may be your best bet.
This forum is more for help with all things related to getting and renewing certs.
It doesn't look like you are having any trouble with any of that.
4 Likes
Thanks for looking it up for me.
Actually this is odd and requires extra scripting after certbot renewal.
And in addition it seem dangerous exposing my private key to an application. Who knows who can peek into memory and read out my private key.
Every process that encrypts must have the private key to do so.
Do you have any notes from the previous use?
4 Likes
I only have the line in the config file, which clearly show that I was just using
the fullchain.
bind *:443 ssl crt /etc/letsencrypt/live/www.mydomain.org/fullchain.pemWhat was in the previous working system?
OR
Has this never worked?
If this ever did work, then you must have combined the key with the cert and fed that to HAProxy.
FYI: The fullchain.pem file doesn't include the key - it never has.
3 Likes
Actually I'm not sure now. I will revise the whole process of setting up the configuration.
Thanks for helping here.
2 Likes
I solved the issue:
I created an /etc/letsencrypt/renewal-hooks/post/haproxy containing the
lines:
#!/bin/sh
cat /etc/letsencrypt/live/www.mydomain.org/fullchain.pem > /etc/haproxy/fullchain.pem
cat /etc/letsencrypt/live/www.mydomain.org/privkey.pem >> /etc/haproxy/fullchain.pem
echo "ssl file for haproxy updated"
And in haproxy.cfg I have:
bind *:443 ssl crt /etc/haproxy/fullchain.pem crt ssl-skip-self-issued-ca
1 Like
You might want to use the /etc/letsencrypt/renewal-hooks/deploy directory.
Note that all certificates will make use of this script. It's also possible to use the --deploy-hook Certbot option to use the script for specific certificates.
Using --deploy-hook (or the corresponding directory) also gives you the option to use the RENEWED_LINEAGE environment variable inside the script instead of hardcoding the lineage (=certificate) path.
See the User Guide — Certbot 2.6.0 documentation for information about --deploy-hook et cetera.
4 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.