haproxy - unable to load SSL private key from PEM file

Question

haproxy does not start anymore, it shows the error

bind :443\' : unable to load SSL private key from PEM file ...

We did not change a

Answer 1

The problem I was running into on CentOS was SELinux was getting in the way. To test if SELinux is the problem execute the following as root: setenforce 0, then try restarting the haproxy. If it works, there is an SELinux problem. (You can re-enable SELinux now and try to fix the underlying problem with the command setenforce 1).

Since I have the certificates in the folder /etc/haproxy/certificates, the following command worked to get the right permissions on the files restorecon -v -R /etc/haproxy (depending on your OS and SELinux config this may or may not work).

Answer 2

For me the problem was caused by this line in combined PEM file:

-----END CERTIFICATE----------BEGIN RSA PRIVATE KEY-----

After I split it I could start HaProxy and load it OK:

-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----

Answer 3

I'd like to add, for people which join here and have the same issue, that you have to keep your intermediate certificates in the chain as well... So if you have a chain with some layers, don't only take the rootca but also the intermediate certificates into your pem file