Backend server ssl verification error

Dear All,

I’m absolutely not an expert in haproxy and ssl/tls and I’m stucked in a problem. I would like to make a re-encryption on the backend side, but the ssl/tls check gives me the famous ‘Layer6 invalid response: SSL handshake failure’, in tcpdump ‘Unknown CA (48)’.

I use the following configuration in the backend:

backend be_intranet
mode http
server myserver check inter 1s weight 1 ssl verify required verifyhost ca-file /path/bundle.crt

I tried it with addition check-sni also but no luck.

If I changed it to the verify none then all works, but the goal is not that.

I tried it with curl, and it seems for me ok:

curl -v --connect-to --cacert ./bundle.crt

  • Connecting to hostname:
  • Connecting to port: 443
  • Trying…
  • Connected to ( port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: ./bundle2.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • ALPN, server accepted to use http/1.1
  • Server certificate:
  • subject: CN=*
  • start date: Mar 21 12:16:16 2022 GMT
  • expire date: Jun 19 12:16:15 2022 GMT
  • subjectAltName: host “” matched cert’s “*”
  • issuer: C=US; O=Let’s Encrypt; CN=R3
  • SSL certificate verify ok.
    GET / HTTP/1.1
    User-Agent: curl/7.74.0
    Accept: /

While in the tcpdump the check stucked in the client hello/server hello.

Any help appreciated (also if there is any way to turn on a more detailed log related to backend tsl verification).

Thank you very much

Ps: sorry for bad english

add SNI to the backend configuration:

sni str( check-sni

Thank you for fast answer.
Unfortunately it does not help, error is the same

server myserver check inter 1s weight 1 ssl verify required verifyhost ca-file /path/bundle.crt sni str( check-sni

@lukastribus Thanks for the answer but it is not working. Please share any other possible solutions if you have them.