...
Create a Self-Signed SSL Certificate
Method 1:
Execute the following to create a self signed certificate for the domain:
| Code Block |
|---|
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout YOUR_DOMAIN.key -out YOUR_DOMAIN.crt |
Concatenate the YOUR_DOMAIN.crt (first) and the YOUR_DOMAIN.key (second) into a YOUR_DOMAIN.pem file.
Copy the YOUR_DOMAIN.pem to
/etc/pki/tls/certs/YOUR_DOMAIN.pem
| Info |
|---|
Best Practice for S3 is to create a wildcard SSL certificate, so repeat the same steps as above and when prompted for the "Common Name" use "*.YOUR_DOMAIN" copy the new CRT file to |
To add the new wildcard certificate to
/etc/haproxy/haproxy.cfg change
| Panel | ||
|---|---|---|
| ||
bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/selfsignedcer.pem |
to
| Panel | ||
|---|---|---|
| ||
bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/YOUR_DOMAIN.pem crt /etc/pki/tls/certs/YOUR_DOMAIN-wildcard.pem |
Note: You can also use a directory to store your pem files and just pass it to the bind command: example:
| Panel | ||
|---|---|---|
| ||
bind 0.0.0.0:443 ssl crt /etc/pki/tls/certs/mycerts/ |
| Info |
|---|
Perform this for all bind statements with the ssl keyword configured. Restart HAProxy to activate: |
Method 2:
A new more modern approach is to make an openssl.conf file first, here is an example:
| Code Block |
|---|
[ req ] prompt = no distinguished_name = server_distinguished_name req_extensions = v3_req [ server_distinguished_name ] commonName = swarm.acmeexample.localcom stateOrProvinceName = Texas countryName = US emailAddress = admin@acmeadmin@example.localcom organizationName = AcmeExample Inc. organizationalUnitName = IT [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [ alt_names ] DNS.0 = *.swarm.acmeexample.localcom |
Generate the private key
| Code Block |
|---|
openssl genrsa -out YOUR_DOMAIN.key 3072 |
...