HAProxy SSL config works without systemctl, but with systemctl it is getting an error

Question

OS: fedora

The error show by journalctl -u haproxy.service --since today --no-pager is:

Dec 01 15:17:13 fedora systemd[1]: Starting haproxy.service - HAProxy Load Balancer...
Dec 01 15:17:13 fedora systemd[1]: haproxy.service: Control process exited, code=exited, status=1/FAILURE
Dec 01 15:17:13 fedora systemd[1]: haproxy.service: Failed with result 'exit-code'.
Dec 01 15:17:13 fedora systemd[1]: Failed to start haproxy.service - HAProxy Load Balancer.

SSL keys were generated like this in the /SSL directory:

openssl req -x509 -newkey rsa:4096 -keyout certificate.pem.key -out certificate.pem -sha256 -days 20000 -nodes -subj "/C=/ST=/L=/O=/OU=/CN="

This is the config:

It reports as valid with haproxy -V -f /etc/haproxy/haproxy.cfg

global
    daemon
    maxconn 256

defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms


frontend www
    mode http
    bind :80

    #
    # without this line, systemctl can start haproxy.service
    #
    # The private key is at "/SSL/certificate.pem.key"
    #
    bind :443 ssl crt "/SSL/certificate.pem"

    default_backend sites
    
backend sites
    balance leastconn
    server server1 0.0.0.0:8000 check
    server server2 0.0.0.0:8001 check

after:

systemctl start haproxy
systemctl status haproxy -l --no-pager

This error is show:

× haproxy.service - HAProxy Load Balancer
     Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: failed (Result: exit-code) since Fri 2023-12-01 15:06:29 PST; 16ms ago
   Duration: 1min 15.417s
    Process: 65885 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -f $CFGDIR -c -q $OPTIONS (code=exited, status=1/FAILURE)
        CPU: 5ms

Dec 01 15:06:29 fedora systemd[1]: Starting haproxy.service - HAProxy Load Balancer...
Dec 01 15:06:29 fedora systemd[1]: haproxy.service: Control process exited, code=exited, status=1/FAILURE
Dec 01 15:06:29 fedora systemd[1]: haproxy.service: Failed with result 'exit-code'.
Dec 01 15:06:29 fedora systemd[1]: Failed to start haproxy.service - HAProxy Load Balancer

However this command that systemctl runs can start the proxy without error, with that same config:

/usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -f /etc/haproxy/conf.d -p /run/haproxy.pid

Any help would be appreciated, thanks.

Answer 1

Sorry, figured it out:

Ran

systemctl cat haproxy.service

to get the location of the haproxy.service commands.

Edited out the -q from ExecStartPre in:

/usr/lib/systemd/system/haproxy.service

Edited version:

[Unit]
Description=HAProxy Load Balancer
After=network-online.target
Wants=network-online.target

[Service]
EnvironmentFile=-/etc/sysconfig/haproxy
Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "CFGDIR=/etc/haproxy/conf.d"

ExecStartPre=/usr/sbin/haproxy -f $CONFIG -f $CFGDIR -c

# ExecStartPre=/usr/sbin/haproxy -f $CONFIG -f $CFGDIR -c -q $OPTIONS

ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -f $CFGDIR -p $PIDFILE $OPTIONS


ExecReload=/usr/sbin/haproxy -f $CONFIG -f $CFGDIR -c -q $OPTIONS
ExecReload=/bin/kill -USR2 $MAINPID
KillMode=mixed
SuccessExitStatus=143
Type=notify

[Install]
WantedBy=multi-user.target

Then reloaded the daemon.

systemctl daemon-reload

The error was:

Dec 01 16:03:43 fedora haproxy[69507]: [ALERT]    (69507) : config : parsing [/etc/haproxy/haproxy.cfg:30] : 'bind :443' in section 'frontend' : unable to stat SSL certificate from file '/SSL/certificate.pem' : No such file or directory.

So I moved

`/SSL/certificate.pem` to `/etc/haproxy/SSL/certificate.pem` 
`/SSL/certificate.pem.key` to `/etc/haproxy/SSL/certificate.pem.key` 

and the error disappeared.