Certificate not trusted/unknown once CRL is configured

Help!
1

I am using HAProxy version 1.8.10 currently and a self-signed CA. My CA cert file consists of the intermediate and root certificate. Now I want to use a CRL so HAProxy blocks access for revoked client certificates. I generated the CRL file by downloading the CRL’s for the intermediate and root certificate (client CA), converted them from der to pem file and added them together in one file.
Whenever this CRL is configured in my haproxy config, I receive the error “sslv3 alert certificate unknown” on client side and in the haproxy logs I can see “SSL client certificate not trusted” with any certificate I use (revoked or not revoked). Once I remove the CRL I can connect without any problem.

I tried many things to debug this but I can’t find the issue. Can anybody help me please?

2

I have the same pb

3

It’s an old example now but was actually done using 1.8.

But have you tried following my Blog, just to see if that works for you as it’s all local self signed certs…

If so it might prove something else is wrong in your process. I’ll help if I can.

4

@AaronWest. your blog is very good but we need to know how to analyse haproxy ssl log to find a solution.
For example in my case with crl,
in client side, slv3 alert certificate unknown
in the server side, ssl client CA chain canot be verified

Without crl in haproxy config, everying is working very good
I have only ca et client crt and crl.

5

@carlos
So “slv3 alert certificate unknown” means that the client certificate cannot be verified.

While “ssl client CA chain canot be verified” means pretty much the same, so it cannot verify the client against the CA.

As you say it works before you add the CRL this makes me think either it’s malformed, missing info or otherwise incorrect in some other way.

That’s why I’m suggesting you make your own as a test, prove to yourself it should work, then compare that to your setup and hopefully you’ll see what’s missing.

6

@AaronWest thanks.
Your anwser is so valuable to us.

I confirme that when I remove crl from haproxy config ==> it is working
I am able to parse crl using this commande

openssl crl -inform DER -text -noout -in mycrl.crl

So malformed is not the case.

I see (x509v3 Freshest CRl and issuing distribution point) inside my crl file.

maybe this is the pb ? I used chrome and i can get the crl in der format without pb using the http distribution point .

Also, in your blog, Client Certificate Authentication with HAProxy
the crl generated is without a distribution point http (without x509v3 Freshest CRl and issuing distribution point) and crl in your blog is working with me.

So i think the pb is in haproxy where it is not able to working with x509v3 Freshest CRl and issuing distribution point in crl

what do you think ?