haproxy icon indicating copy to clipboard operation
haproxy copied to clipboard

Published 20 hours ago verified publisher icon haproxy

Ability to add key file path in crt-list file

Open lukasg-d opened this issue 3 years ago • 2 comments
trafficstars

Your Feature Request

Hi, at first thank you for haproxy it's really awesome! I'd like to have an ability to add a certificate key file in crt-list file, ie:

haproxy.cfg:

bind :443 ssl crt-list /etc/haproxy/crt-list.txt ssl-min-ver TLSv1.2 no-tls-tickets alpn h2,http/1.1

crt-list.txt:

/etc/letsencrypt/live/domain.com/fullchain.pem /etc/letsencrypt/live/domain.com/privkey.pem

it would really help to simplify certbot certification renewal process (at this moment I need to concatenate fullchain.pem and privkey.pem)

What are you trying to do?

I'm using certbot with haproxy for multiple domains ( > 10) each with different certificate and private key

Output of haproxy -vv

haproxy -vv
HA-Proxy version 1.8.19-1+deb10u3 2020/08/01
Copyright 2000-2019 Willy Tarreau <[email protected]>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-OkbS59/haproxy-1.8.19=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-format-truncation -Wno-null-dereference -Wno-unused-label
  OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE2=1 USE_PCRE2_JIT=1 USE_NS=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.1d  10 Sep 2019
Running on OpenSSL version : OpenSSL 1.1.1n  15 Mar 2022
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE2 version : 10.32 2018-09-10
PCRE2 library supports JIT : yes
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
	[SPOE] spoe
	[COMP] compression
	[TRACE] trace

lukasg-d avatar Aug 19 '22 15:08 lukasg-d

This is already planned and part of a bigger restructuring. However for compatibility reasons there will be a "key" keyword to use in the crt-list.

wlallemand avatar Sep 14 '22 09:09 wlallemand

This is already planned and part of a bigger restructuring. However for compatibility reasons there will be a "key" keyword to use in the crt-list.

Hi, key keyword is ok, thank you :)

lukasg-d avatar Sep 14 '22 10:09 lukasg-d

Hi,

is this implemented already? It's been asked for atleast 3 years. Coming from apache/nginx/others I am able to define

cert /path/cert.crt-pem-xxx chain /path/chain.crt-pem-xxx key /path/key.key

I would have to rewrite my ansible roles for the certificate setup completely just for the haproxy role.

scryptio avatar Apr 28 '23 09:04 scryptio