Knowledge Base

How to Install and Bind a Server Certificate on HAProxy ?

Overview 

This guide provides the step-by-step process for installing an SSL/TLS server certificate on HAProxy, creating the required PEM file, configuring HAProxy to use it on port 443, and validating HTTPS functionality. 

Applies to: HAProxy Open Source, Ubuntu Server 20.04/22.04, SSL termination at HAProxy.   

Prerequisites 

Before you begin, ensure you have the following: 

• HAProxy installed  

• Root or sudo access 

• Certificate files available:  

• server.crt (server certificate) 

• server.key (private key) 

• intermediate.crt (intermediate certificate, if applicable) 

 

Procedure 

Step 1: Verify HAProxy Installation 

Confirm HAProxy is installed by running: 

haproxy –v 

Expected: HAProxy version information is displayed: 

 
 

If HAProxy is not installed, install it using: 

sudo apt update 
sudo apt install haproxy -y 
 
 

Step 2: Prepare Certificate Files 

HAProxy requires the certificate and private key to be combined into a single PEM file.  Ensure your certificate materials are ready for use with HAProxy. 

1. List and confirm that the certificate, key, and intermediate files exist: 

                            ls -l 
 

2. Verify that the certificate and private key match: 

    openssl x509 -noout -modulus -in server.crt | openssl md5 
    openssl rsa -noout -modulus -in server.key | openssl md5 
 

3. If the private key is encrypted, remove the passphrase (required by HAProxy): 

                         openssl rsa -in server.key -out server.key.nopass 
 

 

Step 3: Create the HAProxy PEM File 

Combine your certificate components into a single .pem file. 

cat server.crt intermediate.crt server.key.nopass > haproxy.pem 
 

Correct order: 

1. Server certificate 

2. Intermediate certificate(s) 

3. Private key (last) 

Verify the resulting PEM file: 

  head -n 5 haproxy.pem 
  tail -n 5 haproxy.pem 
 

You should see BEGIN CERTIFICATE at the top and BEGIN PRIVATE KEY near the bottom. 

 

Step 4: Move the Certificate to HAProxy Directory 

sudo mkdir -p /etc/haproxy/certs 
sudo mv haproxy.pem /etc/haproxy/certs/ 

Set secure permissions: 
sudo chmod 600 /etc/haproxy/certs/haproxy.pem 
 
 

Step 5: Configure HAProxy to Use the Certificate 

Edit the HAProxy configuration file: 

  sudo nano /etc/haproxy/haproxy.cfg 
 

Add or update the configuration: 

global 
log /dev/log local0 
log /dev/log local1 notice 
daemon 
maxconn 2048 
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 
ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+CHACHA20 
 
defaults 
log global 
mode http 
option httplog 
timeout connect 5s 
timeout client 30s 
timeout server 30s 
 
frontend https_frontend 
bind *:443 ssl crt /etc/haproxy/certs/haproxy.pem 
default_backend web_backend 
 
backend web_backend 
server web1 127.0.0.1:80 check 
 
 

Step 6: Validate HAProxy Configuration 

sudo haproxy -c -V -f /etc/haproxy/haproxy.cfg 
 

The output should confirm the configuration is valid. 

Expected: Configuration file is valid: 
 

Step 7: Restart HAProxy 

sudo systemctl restart haproxy 
sudo systemctl status haproxy -- 

no-pager -l 
 

Confirm port 443 is listening: 

sudo ss -lntp | grep 443 
 

 
 

Step 8: Test HTTPS Access 

1. Local HTTPS test: 

                      curl -vk https://localhost 
 

2. Hostname/SNI test: 

                    curl -vk https://your.domain.name  

            --resolve your.domain.name:443:SERVER_IP 
 

3. OpenSSL certificate validation: 

openssl s_client -connect your.domain.name:443 -servername your.domain.name 
 

Check the certificate chain, issuer, expiration date, TLS protocol, and cipher. 

 

Verification 

To confirm successful installation and configuration: 

• Open a browser and navigate to https://your.domain.name. 

• Ensure you see a valid HTTPS connection (padlock icon). 

• Use openssl or curl outputs to validate certificate correctness and TLS negotiation.