Lets encript and haproxy.cfg



  • Hi, i have big problem:
    i created many certificates on pfsense for many domain.
    Now pfsense said "  line too long, truncating at word 65, position 1439"
    I understand that I have to edit haproxy.cfg  but how?
    you can help?
    great work
    alex



  • Editing haproxy.cfg is not really possible, it will be overwritten next time the webgui makes a change, but i do wonder how exactly are you configuring the haproxy frontend?

    The 'additional' certificates should simply end up in a directory and loaded from there. Not mentioned in the haproxy.cfg this should allow for a lot of certificates being loaded.
    Do you have lots of shared-frontends with a certificate for each?

    Another option could be to have multiple domain-names in 1 certificate.. But maybe thats not desirable..



  • Hi, Piba!! thank's for your reply!!!
    We have 2 frontend for evry domain in https: 1 for https and another http redirect.
    When we try to add a new https in the frontend list, an alert show a fatal error at the bind line:

    –-------------
    Errors found while starting haproxy
    [ALERT] 326/103051 (68082) : parsing [/var/etc/haproxy_test/haproxy.cfg:431]: line too long, truncating at word 65, position 1439: .
    [ALERT] 326/103051 (68082) : parsing [/var/etc/haproxy_test/haproxy.cfg:431] : 'bind xxx.xxx.xxx.xxx:443' : 'crt' : missing certificate location
    [ALERT] 326/103051 (68082) : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg
    [ALERT] 326/103051 (68082) : Fatal errors found in configuration.
    –-------------

    The bind line become too long and the last ".pem" path is truncated. It seems that the bind line can't be longer than 1439 character...
    Is there a way to divive in more rows, with the right syntax, the bind line?



  • With current haproxy package should probably disable the offloading and certificate selection on the shared frontends and add the certificates to the 'primary' frontend as 'additional'..
    Downside of that is that you cant use the automatically added acl's anymore.. But upside is that it might actually be easier to manage.. You could define multiple acl's+actions in the primary frontend to point to the secondary backends/domains. This might in the end work out nicer..

    The length of the line does not seem to be the problem, its the number of 'words' > 64 .. And i have not found a way to split multiple certs for 1 bind over different lines.. It seems using a directory with certificates is the generally accepted solution for this.. The shared frontend 'primary' certificate does however not use that method currently..

    Ill try and see if that can be changed/fixed..



  • thank you PiBa


Log in to reply