Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-64450

OpenSSL 3.2.x package breaks HAproxy 2.4 from AppStream Repo

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Blocker Blocker
    • None
    • CentOS Stream 9
    • haproxy
    • None
    • None
    • rhel-sst-openshift
    • None
    • None
    • CentOS Stream
    • None
    • None
    • None
    • All
    • None

      What were you trying to do that didn't work?

      Run HAProxy 2.4.x (I think all patch versions but have not personally checked) from the AppStream repository with OpenSSL 3.2.x and trying to load a TLS certficate and key from separate files (instead of the combined .pem file option).

      It does work if you concatenate the separate key and certificate files together. However both modes should be working per the HAProxy 2.4 manual: https://docs.haproxy.org/2.4/configuration.html#crt%20(Bind%20options).  And this worked fine with OpenSSL 3.0.x.

       

      What is the impact of this issue to you?

      I am stuck on OpenSSL 3.0.x packages on my HAProxy load balancer nodes. (If I do not leverage a work around)

      Please provide the package NVR for which the bug is seen:

      openssl-1:3.2.2-.el9.

      haproxy-2..-.el9.

      How reproducible is this bug?:

      Trivial

      Steps to reproduce

      1. Install OpenSSL 3.2.x and HAProxy 2.4.x
      2. Use provided keypairs and haproxy config or generate your own. (Have haproxy attempt to load a certificate from a single file and load the key from a .key file as specified in https://docs.haproxy.org/2.4/configuration.html#crt%20(Bind%20options) )
      3. systemctl start haproxy

      I have provided an example working config and a working broken config (good_haproxy.cfg and broken_haproxy.cfg, these are the same minus the .pem file they each target) with the associated TLS certificate files and keys I created for testing this.

      lb.pem.key

      lb.pem

      combined.pem

      good_haproxy.cfg

      broken_haproxy.cfg

      Expected results

      HAProxy starts without error.

      Actual results

      HAProxy fails to start with the error:

       

      parsing [/etc/haproxy/haproxy.cfg:54] : 'bind *:443' : unable to load certificate chain from file '/etc/ssl/certs/lb.pem'. 

       

       

        1. broken_haproxy.cfg
          2 kB
        2. combined.pem
          5 kB
        3. good_haproxy.cfg
          2 kB
        4. lb.pem
          2 kB
        5. lb.pem.key
          3 kB

              rhn-engineering-rohara Ryan O'Hara
              bandit1456 Philip Bove
              Ryan O'Hara Ryan O'Hara
              Cluster QE Cluster QE
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated: