Backend server ssl verification error

Help!
1

Dear All,

I’m absolutely not an expert in haproxy and ssl/tls and I’m stucked in a problem. I would like to make a re-encryption on the backend side, but the ssl/tls check gives me the famous ‘Layer6 invalid response: SSL handshake failure’, in tcpdump ‘Unknown CA (48)’.

I use the following configuration in the backend:

backend be_intranet
mode http
server myserver 10.2.1.27:443 check inter 1s weight 1 ssl verify required verifyhost intranet.mydomain.co.com ca-file /path/bundle.crt

I tried it with addition check-sni intranet.mydomain.co.com also but no luck.

If I changed it to the verify none then all works, but the goal is not that.

I tried it with curl, and it seems for me ok:

curl -v --connect-to intranet.mydomain.co.com:443:10.2.1.27:443 --cacert ./bundle.crt https://intranet.mydomain.co.com

  • Connecting to hostname: 10.2.1.27
  • Connecting to port: 443
  • Trying 10.2.1.27:443…
  • Connected to 10.2.1.27 (10.2.1.27) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: ./bundle2.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • ALPN, server accepted to use http/1.1
  • Server certificate:
  • subject: CN=*.mydomain.co.com
  • start date: Mar 21 12:16:16 2022 GMT
  • expire date: Jun 19 12:16:15 2022 GMT
  • subjectAltName: host “intranet.mydomain.co.com” matched cert’s “*.mydomain.co.com”
  • issuer: C=US; O=Let’s Encrypt; CN=R3
  • SSL certificate verify ok.
    GET / HTTP/1.1
    Host: intranet.mydomain.co.com
    User-Agent: curl/7.74.0
    Accept: /

While in the tcpdump the check stucked in the client hello/server hello.

Any help appreciated (also if there is any way to turn on a more detailed log related to backend tsl verification).

Thank you very much

Ps: sorry for bad english

2

add SNI to the backend configuration:

sni str(intranet.mydomain.co.com) check-sni intranet.mydomain.co.com
3

Thank you for fast answer.
Unfortunately it does not help, error is the same

server myserver 10.2.1.27:443 check inter 1s weight 1 ssl verify required verifyhost intranet.mydomain.co.com ca-file /path/bundle.crt sni str(intranet.mydomain.co.com) check-sni intranet.mydomain.co.com

4

@lukastribus Thanks for the answer but it is not working. Please share any other possible solutions if you have them.