pfSense » pfSense Packages

Glad someone else stumbled upon this.

I am working with 2x Netgate 1541 in HA (25.0.7-1).
I have tested with ACME + HAProxy (stable 0.63_11 & devel 0.64_2 (3.0-dev13-f76e735))

To add from my testing, the .pem file uses the name you give the frontend as its base filename.
Example, if you named your frontend "companyweb_frontend" then the .pem would be created as /var/etc/haproxy_test/companyweb_frontend.pem.
I verified this by SSH and ls-ing /var/etc/haproxy_test/

For some reason, HAProxy (both stable & devel) are looking for /var/etc/haproxy_test/clientca_companyweb_frontend.pem.
I tried tricking this bug by renaming my frontend "clientca_companyweb_frontend", but then haproxy just started throwing ALERTs for not finding /var/etc/haproxy_test/clientca_clientca_companyweb_frontend.pem.

Seems whatever you name your frontend, HAProxy adds clientca_ to whatever your frontend name is.

Not sure if this helps, but these are my findings.

I couldn't replicate it.

Tested against:

25.07.1-RELEASE (amd64)
built on Fri Oct 24 14:27:00 UTC 2025
FreeBSD 15.0-CURRENT

HAproxy Installed version2.9.14-7c591d5

I tested with an Acme certificate with the frontend in SSL offloading enabled.

 # Automaticaly generated, dont edit manually.
# Generated on: 2025-11-01 18:32
global
    maxconn            1000
    stats socket /tmp/haproxy.socket level admin  expose-fd listeners
    uid            80
    gid            80
    nbthread            1
    hard-stop-after        15m
    chroot                /tmp/haproxy_chroot
    daemon
    server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
    bind 127.0.0.1:2200 name localstats
    mode http
    stats enable
    stats admin if TRUE
    stats show-legends
    stats uri /haproxy/haproxy_stats.php?haproxystats=1
    timeout client 5000
    timeout connect 5000
    timeout server 5000

frontend test_LAB
    bind            192.168.33.10:443 name 192.168.33.10:443   ssl crt-list /var/etc/haproxy/test_LAB.crt_list  
    mode            http
    log            global
    option            http-keep-alive
    timeout client        30000
    acl            acl1    var(txn.txnhost) -m str -i testlab.ipbgd.com
    acl            aclcrt_test_LAB    var(txn.txnhost) -m reg -i ^testlab\.ipbgd\.com(:([0-9]){1,5})?$
    http-request set-var(txn.txnhost) hdr(host)
    use_backend backend1_ipvANY  if  acl1 aclcrt_test_LAB

backend backend1_ipvANY
    mode            http
    id            100
    log            global
    http-check        send meth GET
    timeout connect        30000
    timeout server        30000
    retries            3
    load-server-state-from-file    global
    option            httpchk
    server            backend1 192.168.10.1:80 id 101 check inter 1000

The service starts normally with no error logs.

However, I worked on a customer's firewall with the same setup as mine. The HAProxy fails, as reported in this bug report.

Multi-Instance Management service was enabled on our BOX, perhaps this information will be helpful.