What's the correct way to chain certificates to be used with HAProxy?


Situtation: I’ve an haproxy beetween outside world and the server.

The server itself got a letsencrypt certicate and it’s ok when directly exposed to internet (i mean, when router forward 443 to server’s 443)

To handle the need of haproxy, I’m trying to understand what to ‘chain’. Sorry if it is not the right term, explain me right ones, kindly.

This is what I am doing now.

cat /etc/letsencrypt/live/www.example.com/privkey.pem 
    /etc/letsencrypt/live/www.example.com/fullchain.pem | 
tee /etc/letsencrypt/live/www.example.com/combined.pem

Then I copied the combined.pem into haproxy and configured haproxy to use this files

bind *:443 ssl crt /etc/ssl/private/www.example.com/combined.pem

I used an online checker pointing to publicip:443, so was haproxy responding
Online checker approved it and see the chain.

I’d like just a confirm if it is right.


Yes, you got it right.

I usually use this line:

bind :::443 v4v6 ssl crt /var/lib/acme/live/example.org/haproxy alpn h2,http/1.1

The haproxy file is formatted as:


acmetool automatically generates the haproxy combined certificate, unlike Certbot.

If you do stick to Certbot, make sure you have a deploy hook which combines the certificate and reloads haproxy, otherwise haproxy will not be updated at renewal time.


Thanks for replying.

Could you explain the goal/meaning of the last part ?

alpn h2,http/1.1


Sure. If you’ve got haproxy 1.8 or higher, it enables HTTP/2 for compatible browsers (which is most of them).


I’ll check if my lighttpd instance supports it.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.