haproxy can't get it started if errorfile or ssl cert being used

Hi,

not sure if i’m in the right place. I am going absolutely crazy trying to get LEAP 15.1 (or any LEASP/OpenSUSE version) and haproxy 2.2 (or any other version) to work using an SSL certificate.

I’ve used the haproxy 2.0 from LEAP distro and also downloaded the newer haproxy 2.2 release all with the same issue.

‘bind *:443’ : cannot open the file ‘/etc/ssl/test.io/test.io.pem’

doesn’t matter if its a self-signed or from lets encrypt / godaddy, always the same error. I’ve scoured every doc on the internet with the same results. I have 2 LEAP/haproxy servers in primary/backup mode and it works well, along with the haproxy managing 13 other LEAP servers

along with this I can’t custom error files to activate as well:

errorfile : error opening file ‘/etc/haproxy/errors-custom/400.http’. once again doesn’t matter which’s in the file content, I’ve tried basic content and downloaded various samples from github.

the haproxy config works fine without those two commands and starts up. not sure if its a perms issue - I’ve given haproxy:haproxy ownership of the custom-errors folder/files as well with no luck

Thanks,
JH

resolved, i have no idea why this would even affect the operations when apparmour wasn’t even loaded/running

thanks to this post, took a stab at it:
https://forums.opensuse.org/showthread.php/537456-HAproxy-kann-privates-Zertifikat-nicht-lesen-gt-Bug-in-15-1?highlight=haproxy

added the errors-custom and ssl/private folders to the usr.sbin.haproxy.cfg and haproxy then started with teh ssl cert and custom error directives…

thanks

Speculating that location specified for the location of your certificates (I assume in the haproxy.cfg file) likely has default permisssion set that prevents it from being read in the security context your haproxy is running.

Although we normally think that AppArmor applies restrictive permissions, in this case, it’s likely needed to make anexception and loosen permissions for this one app.

I think it’s been said before,
Running a machine without AppArmoer or SELinux is playing with fire.
Plenty of systems (I’m thinking more of Hadoop clusters but there is similarity of motivation and purpose… SysAdmin seeking performance gain and simplest system permissions and assumes running environment won’t be penetrated) have been compromised.

If you think that this modification to the haproxy apparmor profile should be a standard setting that’s required because of a default config setting, I’d recommend you create a bug at httpsL//bugzilla.opensuse.org.

TSU