Installing an SSL Certificate on HAProxy

Installing an SSL Certificate on HAProxy

Samantha Clark

HAProxy sits in front of more high traffic websites than almost any other load balancer, and it has one SSL Certificate quirk that catches everyone the first time.

Unlike Apache or NGINX, HAProxy expects the SSL Certificate, the Intermediate Certificates, and the Private Key combined into a single PEM file. Get that file right and the rest of the installation takes two minutes.

Prerequisites and Required Files

You need shell access with permission to edit the HAProxy configuration and reload the service, running HAProxy 1.5 or later with native Secure Sockets Layer (SSL) support compiled in, which every modern package includes.

You also need your issued SSL Certificate file and the ca-bundle containing the Intermediate Certificates, both available in the tracking system. View Our Tracking & SSL Management 🔗

The Private Key generated with your Certificate Signing Request (CSR) completes the set. Trustico® does not retain Private Keys, so confirm the file exists on your infrastructure before starting. Learn About Generating a CSR 🔗

Building the Combined PEM File

Concatenate the three components in the correct order. The SSL Certificate comes first, the Intermediate Certificates second, and the Private Key last.

cat yourdomain.crt yourdomain.ca-bundle yourdomain.key > /etc/haproxy/certs/yourdomain.pem

Because the combined file contains the Private Key, its permissions matter more than usual. Restrict it so only root can read it.

chmod 600 /etc/haproxy/certs/yourdomain.pem

Important : The component order inside the PEM file is not optional. HAProxy expects the SSL Certificate first and refuses to start, or starts with chain errors, when the pieces are arranged differently. If HTTPS misbehaves after installation, the file order is the first thing to check.

With the combined file built and protected, the remaining configuration is a single bind line.

Configuring the HTTPS Frontend

The bind line in your frontend ties the PEM file to port 443. A minimal Transport Layer Security (TLS) terminating frontend looks like this.

# /etc/haproxy/haproxy.cfg
frontend https_in
    bind *:443 ssl crt /etc/haproxy/certs/yourdomain.pem
    mode http
    default_backend web_servers

The crt parameter also accepts a directory path. When pointed at a directory, HAProxy loads every PEM file inside it and selects the right SSL Certificate per hostname automatically through Server Name Indication (SNI), which makes multi-site deployments effortless.

Terminating at the load balancer means your backend servers receive plain HTTP, an architecture with real performance benefits and a few considerations worth understanding. Learn About SSL Offloading 🔗

Testing and Reloading HAProxy

HAProxy validates its configuration without touching running traffic, and the check catches PEM file problems before they take the site down.

sudo haproxy -c -f /etc/haproxy/haproxy.cfg

A response confirming the configuration is valid clears the way for a reload, which applies the new SSL Certificate without dropping existing connections.

sudo systemctl reload haproxy

Verifying the Installation

Load the site over HTTPS and confirm the SSL Certificate details in the browser. Then run an external scan to confirm the full chain reaches fresh clients, since an incomplete chain hides behind desktop browser caching. Trustico® provides free checking tools for exactly this check. Explore Our Trustico® SSL Tools 🔗

Troubleshooting Common Installation Problems

An unable to load SSL private key error during the configuration check means the Private Key is missing from the PEM file or does not pair with the SSL Certificate. Rebuild the file with all three components in order.

If the mismatch persists, the key likely belongs to a different Certificate Signing Request (CSR), and a reissue resolves it. Learn About Reissuing Your SSL Certificate 🔗

Chain warnings on mobile devices mean the ca-bundle was left out of the PEM file. Rebuild and reload. Learn About Intermediate Certificates 🔗

If HAProxy starts but port 443 never answers, confirm no other service holds the port with ss -tlnp and check that the frontend is bound to the expected address.

Professional Installation Assistance

Single frontend HAProxy installations are fast, but layered environments with multiple frontends, SNI routing, and backend re-encryption deserve careful hands.

Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf. Discover Our Premium Installation Service 🔗

Back to Blog

Most Popular Questions

Frequently asked questions covering SSL Certificate installation on HAProxy, including the single PEM file rule, component ordering, directory loading with Server Name Indication (SNI), the HTTPS frontend, configuration checks, error diagnosis, and the Trustico® Premium Installation service.

Building the Single PEM File HAProxy Requires

HAProxy expects the SSL Certificate, the Intermediate Certificates, and the Private Key combined into a single PEM file, concatenated in that exact order. Because the combined file contains the Private Key, restrict its permissions so only root can read it.

Component Order Inside the PEM File

The order is not optional, because HAProxy expects the SSL Certificate first and refuses to start, or starts with chain errors, when the pieces are arranged differently. If HTTPS misbehaves after installation, the file order is the first thing to check.

Directory Loading and SNI Selection for Multiple Sites

The crt parameter on the bind line also accepts a directory path. When pointed at a directory, HAProxy loads every PEM file inside it and selects the right SSL Certificate per hostname automatically through Server Name Indication (SNI), which makes multi-site deployments effortless.

Terminating TLS at the Load Balancer

A single bind line ties the PEM file to port 443 in the frontend, and terminating Transport Layer Security (TLS) there means the backend servers receive plain HTTP. This architecture carries real performance benefits along with a few considerations worth understanding before deployment.

Checking the Configuration Before Reload

The command haproxy -c -f validates the configuration without touching running traffic and catches PEM file problems before they take the site down. A reload then applies the new SSL Certificate without dropping existing connections.

Diagnosing Private Key and Chain Errors

An unable to load SSL private key error during the configuration check means the Private Key is missing from the PEM file or does not pair with the SSL Certificate, so rebuild the file with all three components in order, and if the mismatch persists the key likely belongs to a different Certificate Signing Request (CSR) and a reissue resolves it. Chain warnings on mobile devices mean the ca-bundle was left out of the PEM file.

Premium Installation Assistance for HAProxy Environments

Layered environments with multiple frontends, Server Name Indication (SNI) routing, and backend re-encryption deserve careful hands. Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf.

Stay Updated - Our RSS Feed

There's never a reason to miss a post! Subscribe to our Atom/RSS feed and get instant notifications when we publish new articles about SSL Certificates, security updates, and news. Use your favorite RSS reader or news aggregator.

Subscribe via RSS/Atom