Backend down: Layer6 invalid response, info: "SSL handshake failure"

Hello Guys,

I have tried so many different things from different available solutions but for some reason backend failed to show up as available. My backend server is running on https with an internal CA signed certificate, Here are the config and other informations:

  ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
  ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
  log         /dev/log local0
  chroot      /var/lib/haproxy
  pidfile     /var/run/
  maxconn     4000
  user        haproxy
  group       haproxy
  stats socket /var/lib/haproxy/stats
  tune.ssl.default-dh-param 2048

  mode                    http
  log                     global
  option                  httplog
  option                  dontlognull
  option http-server-close
  option forwardfor       except
  option                  redispatch
  retries                 3
  timeout http-request    10s
  timeout queue           1m
  timeout connect         10s
  timeout client          1m
  timeout server          1m
  timeout http-keep-alive 10s
  timeout check           10s
  maxconn                 3000

frontend com-http
  mode http
  bind ssl crt /etc/ssl/certs/abc.pem alpn http/1.1

  acl us1-adfs1 hdr(host) -i
  use_backend bak-sso if us1-adfs1

backend bak-sso
  mode http
  balance roundrobin
  option httpchk GET /FederationMetadata/2007-06/FederationMetadata.xml
  http-check expect status 200
  option forwardfor header X-Client
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  server adfs1 check check-ssl ca-file /etc/ssl/certs/internal_ca.pem


# openssl version
OpenSSL 1.1.1t  7 Feb 2023

# openssl s_client -connect -CAfile /etc/ssl/certs/internal_ca.pem
depth=1 DC = internal, DC = abc, CN = us1-ca1
verify return:1
depth=0 CN =
verify return:1
Certificate chain
 0 s:CN =
   i:DC = internal, DC = abc, CN = us1-ca1
Server certificate

subject=CN =

issuer=DC = internal, DC = abc, CN = us1-ca1

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-384, 384 bits
SSL handshake has read 2016 bytes and written 483 bytes
Verification: OK
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: B30600009979EC777388DFF2DBB4A029D121E6D6E44640D98DC4FCF8048E5BCA
    Master-Key: 8636D20374A5A673DD3D2F410D5D9A9E91EBA8744F5BFBC48B1B5F1A825CF149A4359E5639C44BD8F464CD8E0491133D
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1696893367
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes

@lukastribus could you please help when you have time?

You have forced the health check to be ssl (by using check-ssl), however you did not actually enable ssl (keyword: ssl).

It should be something like:

server adfs1 ssl check ca-file /etc/ssl/certs/internal_ca.pem sni 

If it fails, try using verify none just to see if its a cert verification problem. Use sni or verifyhost to specify the hostname used for certificate names.

Also check: