Configuring an SSL Certificate on a HAProxy Load Balancer

We recently started using new Load Balancers called HAProxy. It was a bit of a learning curve for me as I think of myself as more of a Windows Admin!

We do a lot of hosting so generating an SSL certificate is a common request. Prereqs for this solution are Putty and WinSCP.

1. SSH to HAProxy using putty.

2. Enter the following command to generate the CSR file

openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout yourdomain.key -out yourdomain.csr

3. You will be prompted to enter information about the cert.

SSL1

4. At this point you might want to check your CSR to make sure you didn’t make any mistakes. I made a typo once and this caused me some issues down the line!

openssl req -text -noout -verify -in  yourdomain.csr

check

5. Next Cat the contents of the file to screen.

cat yourdomain.csr

cat csr

6. Copy the contents and use this to request a certificate from a Public CA. I used Comodo, but you can use any public CA.

7. Once you have received your certificate back from the CA you need to copy the files to the Load Balancer using WinSCP. Copy the files to your home directory.

8. The next step is to compile all the relevant files into a .pem file. The file needs to contain the Private key, Certificate & the CA Bundle (or individual intermediate & root certs)

It is vital that the pem file has all the required certificates in the correct order. The order is as follows:

—–BEGIN RSA PRIVATE KEY—–

(Your Private Key: your_domain_name.key) —

–END RSA PRIVATE KEY—–

—–BEGIN CERTIFICATE—–

(Your Primary SSL certificate:

your_domain_name.crt)

—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–

(Your Intermediate certificate: DigiCertCA.crt)

—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–

(Your Root

certificate: TrustedRoot.crt)

—–END CERTIFICATE—–

cat yourdomain.key >> yourdomain.pem
cat yourdomain.crt >> yourdomain.pem
cat yourdomain.ca-bundle >> yourdomain.pem
cat pem

9. Check the PEM file is working by running the following command:

openssl verify yourdomain_com.pem

The command should return some information about the cert. If it returns an error you know something is wrong!

10. Next we need to copy the file to following location: /etc/haproxy/certs

sudo mv /home/yourusername/yourdomain.pem /etc/haproxy/certs

11. The final process is to edit the HAProxy config file. We need to a bind a new IP address on port 443 to our certificate .pem file on the Front End of the Load Balancer.

cd /etc/haproxy
ls -lh

You can take a look at the config first to familiarize yourself:

cat haproxy.cfg

For best practice, backup the haproxy.cfg file first so that you can easily restore after an error:

sudo cp haproxy.cfg haproxy{INSERT DATE HERE}.cfg

To restore you can use the same command:

cp haproxy14102015.cfg haproxy.cfg

To edit use vi editor:

sudo vi haproxy.cfg

type i – to insert a line

when finished press ESC then :wq – to save and quit

I inserted the following line:

bind            10.0.0.1:443 ssl crt /etc/haproxy/certs/mydomain.pem

config

Before the changes will take effect you have to restart the HAProxy service. To be safe it’s best to verify your file before you reload or the load balancer might not start!

haproxy -f /etc/haproxy/haproxy.cfg -c

verify

Now we can restart:

sudo service haproxy restart
sudo service haproxy status

restart

At this point I like to back up the haproxy.config file and certificate .pem

You should now be done! Make sure you test the SSL functions as expected:

https://www.sslshopper.com/ssl-checker.html
https://www.ssllabs.com/ssltest/

Useful page with configuration & troubleshooting commands:

https://www.sslshopper.com/article-most-common-openssl-commands.html

Advertisements
Tagged with: , , , ,
Posted in HAProxy, Linux
2 comments on “Configuring an SSL Certificate on a HAProxy Load Balancer
  1. […] This article explains in more detail that the order should be the following… […]

  2. pranav says:

    Thank you so much. exactly what i needed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: