环境:
centos 7.9
HA-Proxy version 1.5.18
问题描述:
9232 Apr 15 18:02:11 node4 haproxy-systemd-wrapper: [ALERT] 104/180211 (123303) : parsing [/etc/haproxy/haproxy.cfg:65] : 'bind *:443' : unable to load SSL p rivate key from PEM file '/ssl/harbor.pem'.
9233 Apr 15 18:02:11 node4 haproxy-systemd-wrapper: [WARNING] 104/180211 (123303) : parsing [/etc/haproxy/haproxy.cfg:68] : a 'redirect' rule placed after a 'use_backend' rule will still be processed before.
#主要看下面这段:
9236 Apr 15 18:02:11 node4 haproxy-systemd-wrapper: [ALERT] 104/180211 (123303) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
9237 Apr 15 18:02:11 node4 haproxy-systemd-wrapper: [ALERT] 104/180211 (123303) : Proxy 'harbor': no SSL certificate specified for bind '*:443' at [/etc/hapr oxy/haproxy.cfg:65] (use 'crt').
9238 Apr 15 18:02:11 node4 haproxy-systemd-wrapper: [ALERT] 104/180211 (123303) : Fatal errors found in configuration.
9239 Apr 15 18:02:11 node4 haproxy-systemd-wrapper: haproxy-systemd-wrapper: exit, haproxy RC=1
9240 Apr 15 18:02:11 node4 systemd: haproxy.service: main process exited, code=exited, status=1/FAILURE
处理方式:
#移动pem文件到/etc/haproxy 。 感觉有点玄学。。。
cp /ssl/harbor.pem /etc/haproxy
#随后修改/etc/haproxy/haproxy.cfg 刚才pem的路径。
#另一个原因。已复现。
感觉98%是开启selinux导致的。 (这个环境是新的。当时没关selinux)
参考:https://stackoverflow.com/questions/27947982/haproxy-unable-to-load-ssl-private-key-from-pem-file 《haproxy - unable to load SSL private key from PEM file》
其他:
#haproxy.cfg内容:
[root@node4 haproxy]# cat haproxy.cfg
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
frontend harbor
bind *:80
#bind *:443 ssl crt /ssl/harbor.pem
bind *:443 ssl crt /etc/haproxy/harbor.pem
mode http
use_backend harbor_cluster
redirect scheme https if !{ ssl_fc } # 跳转至https协议
# 添加协议头部
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
http-request set-header X-Forwarded-Proto https if { ssl_fc }
backend harbor_cluster
balance source # 确保同一节点请求转发至同一后端服务
server node1 192.168.79.34:8090 check port 8090
#server node1 10.0.0.211:80 check port 80
#server node2 10.0.0.212:80 check port 80
生成pem文件时的操作:
mkdir /ssl && cd /ssl
cat 7977024_.net.pem > harbor.pem
cat 7977024_.net.key >> harbor.pem
之前做的排查操作:
haproxy -c -f haproxy.cfg
tail -f /var/log/messages
#检查证书文件是否格式正确
openssl x509 -in harbor.pem -noout -text
openssl rsa -in harbor.pem -noout -text
chmod 600 /ssl/harbor.pem
chown haproxy:haproxy /ssl/harbor.pem