Thanks guys. It’s working now. Here is what I think went wrong:
1st attempt, I didn’t follow the instructions carefully when generating the device certificate from the guide I was following, specifically the line regarding
server_cert instead of
usr_cert. I also tried changing the
ca-file from having just root and intermediate certs to root, intermediate and device.
2nd attempt I followed the instructions carefully but was tying to be too clever by using ECDSA to generate the private keys. As I was testing at the time with my Android (7.1.2) phone, I couldn’t get the pkcs12 to install.
3rd attempt, I followed the cert instructions and used RSA. I’m not sure if it made a difference but I didn’t put a password on the device private key (which might be removed during pfx export?), but otherwise did the same thing as above and it all works on my phone and laptop.
bind 220.127.116.11:443 ssl crt /etc/haproxy/certs/hostname-dh.pem ca-file /etc/haproxy/cert/root-int.ca.pem verify optional
acl cert_present ssl_c_used 1
acl cert_verified ssl_c_verify 0
acl url_sick path_beg /sick
use_backend www-sick if url_sick cert present cert_verified