Backend down: Layer6 invalid response, info: "SSL handshake failure"

Help!
1

Hello Guys,

I have tried so many different things from different available solutions but for some reason backend failed to show up as available. My backend server is running on https with an internal CA signed certificate, Here are the config and other informations:

global
  ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
  ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
  log         /dev/log local0
  chroot      /var/lib/haproxy
  pidfile     /var/run/haproxy.pid
  maxconn     4000
  user        haproxy
  group       haproxy
  daemon
  stats socket /var/lib/haproxy/stats
  tune.ssl.default-dh-param 2048

defaults
  mode                    http
  log                     global
  option                  httplog
  option                  dontlognull
  option http-server-close
  option forwardfor       except 127.0.0.0/8
  option                  redispatch
  retries                 3
  timeout http-request    10s
  timeout queue           1m
  timeout connect         10s
  timeout client          1m
  timeout server          1m
  timeout http-keep-alive 10s
  timeout check           10s
  maxconn                 3000

frontend com-http
  mode http
  bind 192.168.10.55:443 ssl crt /etc/ssl/certs/abc.pem alpn http/1.1
  bind 192.168.10.55:80

  acl us1-adfs1 hdr(host) -i sso.abc.com
  use_backend bak-sso if us1-adfs1

backend bak-sso
  mode http
  balance roundrobin
  option httpchk GET /FederationMetadata/2007-06/FederationMetadata.xml
  http-check expect status 200
  option forwardfor header X-Client
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  server adfs1 adfs1.abc.internal:443 check check-ssl ca-file /etc/ssl/certs/internal_ca.pem

===============================================================================================

# openssl version
OpenSSL 1.1.1t  7 Feb 2023

# openssl s_client -connect adfs1.abc.internal:443 -CAfile /etc/ssl/certs/internal_ca.pem
CONNECTED(00000003)
depth=1 DC = internal, DC = abc, CN = us1-ca1
verify return:1
depth=0 CN = adfs1.abc.interanl
verify return:1
---
Certificate chain
 0 s:CN = adfs1.abc.internal
   i:DC = internal, DC = abc, CN = us1-ca1
---
Server certificate
-----BEGIN CERTIFICATE-----


-----END CERTIFICATE-----
subject=CN = adfs1.abc.internal

issuer=DC = internal, DC = abc, CN = us1-ca1

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 2016 bytes and written 483 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: B30600009979EC777388DFF2DBB4A029D121E6D6E44640D98DC4FCF8048E5BCA
    Session-ID-ctx: 
    Master-Key: 8636D20374A5A673DD3D2F410D5D9A9E91EBA8744F5BFBC48B1B5F1A825CF149A4359E5639C44BD8F464CD8E0491133D
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1696893367
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
read:errno=104
2

@lukastribus could you please help when you have time?

3

You have forced the health check to be ssl (by using check-ssl), however you did not actually enable ssl (keyword: ssl).

It should be something like:

server adfs1 adfs1.abc.internal:443 ssl check ca-file /etc/ssl/certs/internal_ca.pem sni

If it fails, try using verify none just to see if its a cert verification problem. Use sni or verifyhost to specify the hostname used for certificate names.

Also check:
http://docs.haproxy.org/2.6/configuration.html#ca-file%20(Server%20and%20default-server%20options)
http://docs.haproxy.org/2.6/configuration.html#5.2-verify