I’m absolutely not an expert in haproxy and ssl/tls and I’m stucked in a problem. I would like to make a re-encryption on the backend side, but the ssl/tls check gives me the famous ‘Layer6 invalid response: SSL handshake failure’, in tcpdump ‘Unknown CA (48)’.
I use the following configuration in the backend:
server myserver 10.2.1.27:443 check inter 1s weight 1 ssl verify required verifyhost intranet.mydomain.co.com ca-file /path/bundle.crt
I tried it with addition check-sni intranet.mydomain.co.com also but no luck.
If I changed it to the verify none then all works, but the goal is not that.
I tried it with curl, and it seems for me ok:
curl -v --connect-to intranet.mydomain.co.com:443:10.2.1.27:443 --cacert ./bundle.crt https://intranet.mydomain.co.com
- Connecting to hostname: 10.2.1.27
- Connecting to port: 443
- Trying 10.2.1.27:443…
- Connected to 10.2.1.27 (10.2.1.27) port 443 (#0)
- ALPN, offering h2
- ALPN, offering http/1.1
- successfully set certificate verify locations:
- CAfile: ./bundle2.crt
- CApath: /etc/ssl/certs
- TLSv1.3 (OUT), TLS handshake, Client hello (1):
- TLSv1.3 (IN), TLS handshake, Server hello (2):
- TLSv1.2 (IN), TLS handshake, Certificate (11):
- TLSv1.2 (IN), TLS handshake, Server key exchange (12):
- TLSv1.2 (IN), TLS handshake, Server finished (14):
- TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
- TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
- TLSv1.2 (OUT), TLS handshake, Finished (20):
- TLSv1.2 (IN), TLS handshake, Finished (20):
- SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
- ALPN, server accepted to use http/1.1
- Server certificate:
- subject: CN=*.mydomain.co.com
- start date: Mar 21 12:16:16 2022 GMT
- expire date: Jun 19 12:16:15 2022 GMT
- subjectAltName: host “intranet.mydomain.co.com” matched cert’s “*.mydomain.co.com”
- issuer: C=US; O=Let’s Encrypt; CN=R3
- SSL certificate verify ok.
GET / HTTP/1.1
While in the tcpdump the check stucked in the client hello/server hello.
Any help appreciated (also if there is any way to turn on a more detailed log related to backend tsl verification).
Thank you very much
Ps: sorry for bad english