After configuring ca and certificate pki settings in vyos and then referencing them in the reverse-proxy settings, it appears the files have been created in the /run/haproxy/ directory with hardcoded filenames instead of ones that match the pki names as the reverse-proxy expects, which prevents haproxy from starting.
configure
set pki ca test-ca-1 certificate 'REDACTED' set pki certificate test-cert-1 certificate 'REDACTED' set pki certificate test-cert-1 private key 'REDACTED' set load-balancing reverse-proxy backend test-backend-1 mode 'http' set load-balancing reverse-proxy backend test-backend-1 server test-server-1 address '10.11.12.1' set load-balancing reverse-proxy backend test-backend-1 server test-server-1 port '443' set load-balancing reverse-proxy backend test-backend-1 ssl ca-certificate 'test-ca-1' set load-balancing reverse-proxy service test-frontend-1 mode 'http' set load-balancing reverse-proxy service test-frontend-1 port '8080' set load-balancing reverse-proxy service test-frontend-1 ssl certificate 'test-cert-1' commit
Job for haproxy.service failed because the control process exited with error code. See "systemctl status haproxy.service" and "journalctl -xeu haproxy.service" for details
tail -n 15 /run/haproxy/haproxy.cfg
# Frontend frontend test-frontend-1 bind :::8080 v4v6 ssl crt /run/haproxy/test-cert-1.pem mode http # Backend backend test-backend-1 balance roundrobin option forwardfor http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } mode http server test-server-1 10.11.12.1:443 ssl ca-file /run/haproxy/test-ca-1.pem
find /run/haproxy/
/run/haproxy/ /run/haproxy/haproxy.cfg /run/haproxy/ca.pem /run/haproxy/cert.pem.key /run/haproxy/cert.pem`
Current workaround is to use ca for the ca identifier and cert for the cert identifier, but this of course limits you to a single one of each to use with the reverse-proxy