HAProxy SSL Termination: Certificates, Chains, and Renewal at the Edge
HAProxy is a strong place to terminate TLS. It is also a place where certificate mistakes have a large blast radius.
SSL termination means HAProxy accepts the HTTPS connection from the client, decrypts traffic at the edge, and forwards requests to backend services. This centralizes certificate handling and keeps backend applications simpler.
The tradeoff is concentration. If the HAProxy certificate expires, has the wrong private key, misses an intermediate chain, or is not reloaded after renewal, every service behind that frontend can be affected.
What HAProxy expects
HAProxy commonly expects a single PEM file containing the private key, the leaf certificate, and the intermediate chain. A frontend binding usually looks like this:
frontend https-in
bind *:443 ssl crt /etc/haproxy/certs/site.pem
The file at /etc/haproxy/certs/site.pem must be assembled correctly. Using only the leaf certificate often appears to work in simple tests, then fails for clients that cannot fetch the missing intermediate certificate.
Why manual renewal is fragile
A manual HAProxy certificate renewal usually includes multiple steps: obtain a new certificate, assemble the PEM file, place it in the correct path, validate the config, reload HAProxy, and verify that the live endpoint serves the new certificate.
Any one of those steps can be missed. Shorter certificate lifetimes make that process harder to justify because the same manual work repeats more often. A process that was barely acceptable once a year becomes a reliability problem when it runs every few weeks.
ACME delivery changes the workflow
Modern HAProxy deployments can integrate with ACME-based certificate workflows so issuance and renewal are automated. The ACME client handles certificate retrieval and renewal timing, while the deployment process ensures HAProxy gets the right PEM material and reloads safely.
CertLocker fits this model as a central control plane. It can expose ACME-compatible certificate delivery while keeping issuance scoped and auditable. HAProxy gets automation; platform teams keep visibility and control.
What to monitor
- The certificate served on port 443, not only the certificate file on disk.
- Expiry and renewal status for every HAProxy frontend certificate.
- Successful HAProxy reloads after renewal.
- Complete certificate chains for each served hostname.
- Audit history showing who or what requested and delivered the certificate.
The best HAProxy certificate process is one operators rarely touch directly. Humans should design the policy and respond to alerts. Software should handle renewal, delivery, reload, and verification.