“After adding the CRL to HAProxy, I get the following error. However, if I remove the CRL configuration, everything works correctly. My CA certificate chain and everything else are correct. The problem is not with the certificate. The problem lies in the HAProxy configuration. Below, I am including both the error and my configuration. The error indicates that there is a problem with the CA, but there is no issue regarding that.”
Error Log:
Oct 21 17:35:41 localhost haproxy[8502]: 192.168.232.1:56648 [21/Oct/2024:17:35:41.193] https_frontend/1: SSL handshake failure
Oct 21 17:35:41 localhost haproxy[8502]: 192.168.232.1:56648 [21/Oct/2024:17:35:41.193] https_frontend/1: SSL handshake failure
Oct 21 17:35:42 localhost haproxy[8502]: 192.168.232.1:56649 [21/Oct/2024:17:35:42.527] https_frontend/1: SSL client CA chain cannot be verified
Oct 21 17:35:42 localhost haproxy[8502]: 192.168.232.1:56649 [21/Oct/2024:17:35:42.527] https_frontend/1: SSL client CA chain cannot be verified
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
frontend main
bind *:5000
acl url_static path_beg -i /static /images /javascript /stylesheets
acl url_static path_end -i .jpg .gif .png .css .js
use_backend static if url_static
default_backend app
backend static
balance roundrobin
server static 127.0.0.1:4331 check
backend app
balance roundrobin
server app1 127.0.0.1:5001 check
server app2 127.0.0.1:5002 check
server app3 127.0.0.1:5003 check
server app4 127.0.0.1:5004 check
backend backend1
server server1 192.168.232.10:8080 check
frontend https_frontend
bind *:443 ssl crt /etc/haproxy/certs/igca/firsthaproxy.az ca-file /etc/haproxy/certs/igca/igchain.crt verify required crl-file /etc/haproxy/certs/igca/revoked.crl
mode http
acl valid_client_cert ssl_c_verify 0
use_backend backend1 if valid_client_cert
bind *:80
http-request redirect scheme https if !{ ssl_fc }