haproxy: inconsistencies between private key and certificate loaded from PEM file

Question

I am trying to use certificate signed for another server. I have both private key and certificate.

My PEM file order is :

subject=/C=***/L=*****/O=**********/CN=*********
issuer=/C=***/O=*****Inc/CN=********Secure Server CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=/C=US/O=******** Inc/CN=********* SHA2 Secure Server CA
issuer=/C=US/O=********* Inc/OU=*********/CN=******** Global Root CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=/C=US/O=********* Inc/OU=***********/CN=*********** Global Root CA
issuer=/C=US/O=********* Inc/OU=************/CN=******** Global Root CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

When i tried to deploy it to my haproxy, i got this error.

[ALERT] 188/141626 (2322) : parsing [/etc/haproxy/haproxy.cfg:32] : 'bind *:443' : inconsistencies between private key and certificate loaded from PEM file ................
[ALERT] 188/141626 (2322) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 188/141626 (2322) : Proxy 'www-https': no SSL certificate specified for bind '*:443' at [/etc/haproxy/haproxy.cfg:32] (use 'crt').
[ALERT] 188/141626 (2322) : Fatal errors found in configuration.
Errors in configuration file, check with haproxy check.

And my haproxy version is:

HA-Proxy version 1.5.2 2014/07/12
Copyright 2000-2014 Willy Tarreau <[email protected]>

I can start my haproxy with self-signed cert. Why does occur this inconsistency? I am sure that private key belongs to certificate.

I'm trying for hours now but I can not find the reason.

Please help! Thank you!

Answer 1

The order of the certificates in your file is wrong. It seems you are putting the intermediate certificate (i.e. Secure Server CA) first which is thus expected to be the server certificate. The order of the certificates needs to be:

• server certificate
• server private key (without any password)
• intermediate certificate 1
• intermediate certificate 2

It's actually not that important where you put the private key. However, the order of the certificates strictly needs to be ordered from leaf to root, i.e. first the server certificate, then the intermediate, then it's parent. Basically, you put the server certificate first, then its signer, then its signer, ...

For more information, please refer to the documentation.