HA Proxy SSL Administration

Download PDF

Introduction

 

A Certificate Signing Request (CSR) is required when ordering an SSL-certificate, this is generated from a private key.

 

If you wish to generate the private key yourself you will also have to generate the CSR, follow Generating a CSR for certificate ordering followed by Installation of the SSL-certificate.

 

If you already have the private key and certificate you just follow Installation of the SSL-certificate.

 

This guide is created with OpenSSL 1.1.1f and HA-Proxy 2.0.13 with default installation.

This guide describes how you create, install and configure SSL in HA-proxy on Linux.

This guide fits Ubuntu, Redhat, CentOS, etc. Minor changes in paths and commands can be needed for other versions of Linux.

 

  1. Execute the following command to see which version of OpenSSL is installed:

 

openssl version

 

 

  1. Execute the following command to see which version of HA-Proxy is installed:

 

haproxy -v

 

 

  1. You can generate an SSL configuration text at Mozilla SSL Configuration Generator which you can then modify to fit your server.

You can choose between the following settings. We recommend intermediate if you have no specific reason to select something else, and that you do not activate HSTS unless you are sure know what you are doing.

 

    • Modern: Provides higher security but lower compatibility as it prevents access for older browsers and clients.

Recommended if all clients are known, e.g. on an internal website.

 

    • Intermediate: A balance between medium-high security and high compatibility.

Generally recommended for serveres that is accessed by unknown clients, e.g. a webshop. This optimises the security while still allowing slightly older clients access the website.

 

    • Old: Low security, highest compatibility.

This setting is only recommended if compatibility is more important than security as it opens for abandoned SSL standards that has known security holes.

 

    • HSTS: (HTTP Strict Transport Security) is a header from the server that tells the client that the DNS name may only be accessed through HTTPS going forward. This will be remembered by the client for an amount of time equal to the max-age set, regardless if it's removed from the server again, so there is no way back if it fails.

Follow a thorough guide, be conservative and set the max-age to 300 seconds (5 minutes) for at least a week before it is gradually raised.

Watch out for sub-domains and pre-load, unless everything is already running HTTPS.

 

    • OCSP Stapling: It is definitely advantageous to activate OCSP. IT allows the server to collect the status of the certificate regularly and deliver the information to the client, instead of each client having to look up the status every time.

 

 

Generating a CSR for certificate ordering

 

In this example we have used a single DNS name, which works for both standard and SAN certificates, for a wildcard the Common name should be replaced with *.fairssl.dk

 

To be able to generate the CSR and complete the order you will need the following information:

 

  • Common Name (CN): The primary fully qualified domain name. e.g.: www.fairssl.dk
  • Organization Name (O): The full company name, exactly as presented in CVR. e.g.: FairSSL A/S (is only required for OV and EV certificates)
  • Organizational Unit (OU): The department that is to use the certificate. It may not be possible to conflate the name with another company. It is recommended to leave it empty or use the company name. e.g.: FairSSL A/S (is not used any more and should be left empty)
  • Locality (L): City name. e.g.: Ørum Djurs
  • State (S): State or municipality, in Denmark the municipality is used. e.g.: Norddjurs
  • Country (C): ISO-standard two-letter country code, must be capitalised. e.g.: DK

 

we use OpenSSL for creating the private key and CSR. OpenSSL is installed under /usr/local/ssl/bin in a default installation.

 

Generating the private key

 

  1. Login to the server with an administrator account.

 

  1. Run the following command to generate a 2048-bit Diffie-Hellman parameter:

 

sudo openssl dhparam -out /etc/ssl/private/dhparam.pem 2048

 

 

  1. Run the following command to generate a private RSA 2048-bit key without password:

 

sudo openssl genrsa -out /etc/ssl/private/www.fairssl.dk.key 2048

 

 

We create the private key in /etc/ssl/private/ because it is a secured folder specifically created for this purpose.

 

Do not ever send the private key to us in an email.

The private key file should be kept secure and should not leave the server. It is not possible to use smaller keys like RSA 1024-bit.

 

Generating the CSR

 

  1. Run the following command to create a CSR with the private key you created:

 

sudo openssl req -new -key /etc/ssl/private/www.fairssl.dk.key -out /etc/ssl/private/www.fairssl.dk.csr

 

If you have chosen to secure the private key with a password (not shown in this guide) you will be asked to enter it here.

Enter the information you collected earlier for the certificate followed by [ENTER], remember that Country Name has to be capitalised. Leave the 3 last fields empty as shown below:

 

Country Name: DK

State or Province Name: Norddjurs

Locality Name: Ørum Djurs

Organization Name: FairSSL A/S

Prganizational Unit Name: FairSSL A/S

Common Name: www.fairssl.dk

Email Address:

A Challenge Password:

An Optional Company Name:

 

 

  1. You can confirm that your CSR is generated correctly with the following command:

 

sudo openssl req -noout -text -in /etc/ssl/private/www.fairssl.dk.csr

 

 

  1. Open the CSR file with a text editor (e.g. sudo nano /etc/ssl/private/www.fairssl.dk.csr) and copy the entire text, incl. all the dashes at the beginning and end.

Insert the copied text in the CSR field during the certificate ordering.

The following is an example of a complete CSR text:

 

 

A CSR does not contain any private information, and there are no security risks by sending the CSR to us through an unencrypted email.

 

Installation of the SSL-certificate

 

  1. Create the file where your private key is located named after your website (e.g. /etc/ssl/private/www.fairssl.dk.pem):

Open the file in a text editor (e.g. sudo nano www.fairssl.dk.pem).

Copy the entire text of your SSL certificate from the mail into the file, incl. all the dashes.

Open the private key with a text editor (e.g. sudo nano /etc/ssl/private/www.fairssl.dk.key) and copy the text from the key file into the certificate file.

Finally copy the entire text from the intermediate certificate into the certificate file and save it.

 

 

  1. Create a backup of your haproxy.cfg file:

 

sudo cp /usr/local/etc/haproxy/haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg.bak

 

  1. Open haproxy.cfg with a text editor (e.g. sudo nano haproxy.cfg)

Update the file with the settings you made in the Introduction

Here is an example of an updated file (comments has been removed to make it easier to read)

 

 

  1. Test that the HA Proxy configuration still works correctly:

 

sudo services haproxy configtest

 

If an error occurs during test, this needs to be corrected before proceeding. See the log files for more information.

 

  1. Reload HA Proxy:

 

sudo services haproxy reload

 

We recommend that you test the installation with our server tester at https://www.fairssl.net/en/ssltest

 

Intermediate certificates

 

Here you can find the intermediate certificates from different Certificate Authorities.

We recommend that you use the intermediate certificate you got with your server certificate, and only download from here in case you lose it, as the one you get in the mail will always be the correct one for your server certificate.

 

Intermediate certificates