What were you trying to do that didn't work?

Run HAProxy 2.4.x (I think all patch versions but have not personally checked) from the AppStream repository with OpenSSL 3.2.x and trying to load a TLS certficate and key from separate files (instead of the combined .pem file option).

It does work if you concatenate the separate key and certificate files together. However both modes should be working per the HAProxy 2.4 manual: https://docs.haproxy.org/2.4/configuration.html#crt%20(Bind%20options).  And this worked fine with OpenSSL 3.0.x.

What is the impact of this issue to you?

I am stuck on OpenSSL 3.0.x packages on my HAProxy load balancer nodes. (If I do not leverage a work around)

Please provide the package NVR for which the bug is seen:

openssl-1:3.2.2-.el9.

haproxy-2..-.el9.

How reproducible is this bug?:

Trivial

Steps to reproduce

1. Install OpenSSL 3.2.x and HAProxy 2.4.x
2. Use provided keypairs and haproxy config or generate your own. (Have haproxy attempt to load a certificate from a single file and load the key from a .key file as specified in https://docs.haproxy.org/2.4/configuration.html#crt%20(Bind%20options) )
3. systemctl start haproxy

I have provided an example working config and a working broken config (good_haproxy.cfg and broken_haproxy.cfg, these are the same minus the .pem file they each target) with the associated TLS certificate files and keys I created for testing this.

lb.pem.key

lb.pem

combined.pem

good_haproxy.cfg

broken_haproxy.cfg

Expected results

HAProxy starts without error.

Actual results

HAProxy fails to start with the error:

parsing [/etc/haproxy/haproxy.cfg:54] : 'bind *:443' : unable to load certificate chain from file '/etc/ssl/certs/lb.pem'.