haproxy-无法从PEM文件加载SSL私钥 [英] haproxy - unable to load SSL private key from PEM file
问题描述
haproxy不再启动,它显示错误
haproxy does not start anymore, it shows the error
bind <ip>:443' : unable to load SSL private key from PEM file ...
我们没有更改证书或配置上的任何内容.自上次启动以来,我们仅对系统进行了常规更新.
We did not change anything on the certificates or configuration. Since the last start we only made normal updates to the system.
要查找错误,我生成了一个全新的证书(自签名),但该错误仍然存在.
To find the error, I generated a completely new certificate (self signed) but the error still exists.
这是PEM文件的结构:
This is the structure of the PEM file:
-----BEGIN CERTIFICATE-----
MIIDXjCCAkY...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpgIBAAKC....
-----END RSA PRIVATE KEY-----
我也尝试用转换私钥
openssl pkcs8 -topk8 -inform pem -in server.key -outform pem -nocrypt -out server_new.key
但是haproxy仍然显示相同的错误.
but haproxy still shows the same error.
我现在尝试了几个小时,但找不到原因.请帮忙!谢谢!
I'm trying for hours now but I can not find the reason. Please help! Thank you!
更新:
该问题与文件访问有关. PEM文件存储在/data/ssl/domainname/domainname.pem中.文件权限还可以.当我将PEM文件移动到/etc/haproxy时,一切正常.
The problem has something to do with file access. The PEM file was stored at /data/ssl/domainname/domainname.pem. File rights are ok. When I move the PEM file to /etc/haproxy then everything is ok.
推荐答案
我在CentOS上遇到的问题是SELinux遇到了麻烦.要测试SELinux是否是问题所在,请以root用户身份执行以下命令:setenforce 0,然后尝试重新启动haproxy.如果可行,则存在SELinux问题. (您现在可以重新启用SELinux,并尝试使用命令setenforce 1修复潜在的问题).
The problem I was running into on CentOS was SELinux was getting in the way. To test if SELinux is the problem execute the following as root: setenforce 0, then try restarting the haproxy. If it works, there is an SELinux problem. (You can re-enable SELinux now and try to fix the underlying problem with the command setenforce 1).
由于我的证书位于/etc/haproxy/certificates文件夹中,因此以下命令可用于获取文件restorecon -v -R /etc/haproxy的正确权限(取决于您的OS和SELinux配置,这可能会或可能不会).
Since I have the certificates in the folder /etc/haproxy/certificates, the following command worked to get the right permissions on the files restorecon -v -R /etc/haproxy (depending on your OS and SELinux config this may or may not work).
这篇关于haproxy-无法从PEM文件加载SSL私钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
