Having done the last SSL certificates on my and my customers domains about a year ago, I forgot the order in which the crt ca-bundle and key file are to be concatonated into the PEM file in order for haproxy to read it correctly.
I write this as both a reminder to myself for the next time I shall required to perform this operation:
The order is
- crt
- ca-bundle
- key
Meaning one can do simply:
cat <crtfile>.crt <ca-bundlefile>.ca-bundle <keyfile>.key > <mypemfile>.pem
Important!
make sure there are NO parts like the following:
I9U65mjp1vDlN39qqeyjLzv6GqljjX7N3yrGNndn7JLI9twKAB8awXu11Xn8nkdJ
SeS3mlrnZtCiImeeeATEDjXsYTzu05lJNPZzV1pOI6ZJLuxS7uT/LABrlE7SOqb5
7PLgdjOMkQiF/igA5Qn1aY2DSwRu+5p0t6ZcPI+qSA1Q7wJ0GzaMng==
—–END CERTIFICATE———-BEGIN CERTIFICATE—–
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
This will fail on loading the certificate, use VI to change it to:
I9U65mjp1vDlN39qqeyjLzv6GqljjX7N3yrGNndn7JLI9twKAB8awXu11Xn8nkdJ
SeS3mlrnZtCiImeeeATEDjXsYTzu05lJNPZzV1pOI6ZJLuxS7uT/LABrlE7SOqb5
7PLgdjOMkQiF/igA5Qn1aY2DSwRu+5p0t6ZcPI+qSA1Q7wJ0GzaMng==
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
to test the PEM file you created use:
openssl x509 -noout -text -in <pemfile>.pem
The output should be a readable certificate and not an error.