OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: abraxxa on April 03, 2017, 10:14:51 pm

Title: [17.1.4] haProxy certificate file error
Post by: abraxxa on April 03, 2017, 10:14:51 pm

I had to reinstall my firewall because the OCZ Vertex 3 SSD lost SATA connection every few days.
The Samsung 850 Evo I had in the box before using Sophos XG worked and works flawless.
After restoring the backup haProxy didn't start and doing so on the cli it turned out it logs the following error:

Code: [Select]

[ALERT] 092/220547 (13988) : parsing [/usr/local/etc/haproxy.conf:37] : 'bind 1.2.3.4:443' : unable to load SSL private key from PEM file '/var/etc/haproxy/ssl/58924ec1d2166.pem'.
[ALERT] 092/220547 (13988) : parsing [/usr/local/etc/haproxy.conf:56] : 'bind 1.2.3.4:4443' : unable to load SSL private key from PEM file '/var/etc/haproxy/ssl/58924ec1d2166.pem'.
[ALERT] 092/220547 (13988) : Error(s) found in configuration file : /usr/local/etc/haproxy.conf
[ALERT] 092/220547 (13988) : Proxy 'fqdn_A': no SSL certificate specified for bind '1.2.3.4:443' at [/usr/local/etc/haproxy.conf:37] (use 'crt').
[ALERT] 092/220547 (13988) : Proxy 'fqdn_B': no SSL certificate specified for bind '1.2.3.4:4443' at [/usr/local/etc/haproxy.conf:56] (use 'crt').
[ALERT] 092/220547 (13988) : Fatal errors found in configuration.

This comes from the following line in the generated pem file:

Code: [Select]

-----END RSA PRIVATE KEY----------BEGIN CERTIFICATE-----
When I put in a linefeed inbetween haproxy starts but the pem file is overwritten each time I start haproxy from the WebUI.

What made troubleshooting hard is the fact that those errors aren't shown in the WebUI haProxy log.

Title: Re: [17.1.4] haProxy certificate file error
Post by: abraxxa on April 03, 2017, 10:24:13 pm

Although I've read the Development Manual for the second time now I can't find any info how to contribute  :(
The fix is to change line 80 in /usr/local/opnsense/scripts/OPNsense/HAProxy/exportCerts.php to:

Code: [Select]

$pem_content .= "\n" . $ca;

Title: Re: [17.1.4] haProxy certificate file error
Post by: fraenki on April 04, 2017, 11:23:02 am

Quote from: abraxxa on April 03, 2017, 10:24:13 pm

The fix is to change line 80 in /usr/local/opnsense/scripts/OPNsense/HAProxy/exportCerts.php to:

Code: [Select]

$pem_content .= "\n" . $ca;

Thanks for reporting this issue! Although I can't reproduce it with any of my certificates, I've prepared a fix for the next release:
https://github.com/opnsense/plugins/pull/110

Quote from: abraxxa on April 03, 2017, 10:24:13 pm

Although I've read the Development Manual for the second time now I can't find any info how to contribute  :(

While the development manual provides valuable in-depth information, it's actually quite simple:
- fork the repo on github (in this case: opnsense/plugins)
- commit your changes to the fork
- open a pull request

Regards
- Frank

Title: Re: [17.1.4] haProxy certificate file error
Post by: abraxxa on April 04, 2017, 11:52:29 am

Thanks Frank!
It only affects certificate chains with intermediate CAs as far as I can tell.
Regarding contributing the github fork/pull-request process should be added to the manual.