Add CRL Error | SSL client CA chain cannot be verified

“After adding the CRL to HAProxy, I get the following error. However, if I remove the CRL configuration, everything works correctly. My CA certificate chain and everything else are correct. The problem is not with the certificate. The problem lies in the HAProxy configuration. Below, I am including both the error and my configuration. The error indicates that there is a problem with the CA, but there is no issue regarding that.”

Error Log:
Oct 21 17:35:41 localhost haproxy[8502]: 192.168.232.1:56648 [21/Oct/2024:17:35:41.193] https_frontend/1: SSL handshake failure
Oct 21 17:35:41 localhost haproxy[8502]: 192.168.232.1:56648 [21/Oct/2024:17:35:41.193] https_frontend/1: SSL handshake failure
Oct 21 17:35:42 localhost haproxy[8502]: 192.168.232.1:56649 [21/Oct/2024:17:35:42.527] https_frontend/1: SSL client CA chain cannot be verified
Oct 21 17:35:42 localhost haproxy[8502]: 192.168.232.1:56649 [21/Oct/2024:17:35:42.527] https_frontend/1: SSL client CA chain cannot be verified
global
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

    tune.ssl.default-dh-param 2048

defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

frontend main
    bind *:5000
    acl url_static       path_beg       -i /static /images /javascript /stylesheets
    acl url_static       path_end       -i .jpg .gif .png .css .js

    use_backend static          if url_static
    default_backend             app

backend static
    balance     roundrobin
    server      static 127.0.0.1:4331 check

backend app
    balance     roundrobin
    server  app1 127.0.0.1:5001 check
    server  app2 127.0.0.1:5002 check
    server  app3 127.0.0.1:5003 check
    server  app4 127.0.0.1:5004 check



backend backend1
    server server1 192.168.232.10:8080 check

frontend https_frontend
    bind *:443 ssl crt /etc/haproxy/certs/igca/firsthaproxy.az ca-file /etc/haproxy/certs/igca/igchain.crt verify required crl-file /etc/haproxy/certs/igca/revoked.crl
    
    mode http
    acl valid_client_cert ssl_c_verify 0
    use_backend backend1 if valid_client_cert
    bind *:80
    http-request redirect scheme https if !{ ssl_fc }