HAProxy community

Client certificate auth blocks access for some certs

I’m trying to setup client based authentication and got a weird problem. When using smartcard certs I get error
SSL client certificate not trusted
even though I’ve set “verify optional” and “crt-ignore-err all ca-ignore-err all” in my frontend. The smartcard certificate validates fine using openssl on the client using the CA specified as CA in haproxy.conf. The must strange thing is that if I use a selfsigned certificate then it works.
Any suggestion on what might be causing this?

Simplified config I am using:
global
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
crt-base /etc/haproxy/ssl
ssl-server-verify none
frontend main
bind :443 ssl crt website-cert.pem ca-file client-CA-with-chain.pem verify optional crt-ignore-err all ca-ignore-err all

default_backend test
   cookie SRVID insert nocache
   server server1 127.0.0.1:8088 maxconn 1

curl using selfsigned cert against haproxy with netcat running on backend:
curl --insecure --cert-type pem --cert test-cert.pem https://netcat-server
netcat server output:
ncat -l 127.0.0.1 8088
GET / HTTP/1.1
host: netcat-server
user-agent: curl/7.66.0
accept: /
x-ssl: 1
x-ssl-client-sha1: &y�5e��T�%0F%7F�}A�%14%1A�)�
x-ssl-client-verify: 21
x-ssl-client-dn: dn string
x-ssl-issuer: issuer string
connection: close

curl using smartcard cert against haproxy with netcat running on backend:
curl -v --insecure -E ‘pkcs11:URL’ https://netcat-server
Enter PKCS#11 token PIN for Instant EID IP9 (identification):
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:

* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> Host: helpdesk.cardservices.no
> User-Agent: curl/7.66.0
> Accept: /
>
* TLSv1.3 (IN), TLS alert, bad certificate (554):
* OpenSSL SSL_read: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate, errno 0
* Closing connection 0
curl: (56) OpenSSL SSL_read: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate, errno 0

netcat gives no output and haproxy log gives error " SSL client certificate not trusted" so the connection is closed at the frontend for some reason.

anyone any suggestion on how to debug further? Also why does haproxy block access with ‘certificate not trusted’ even though I’ve set ‘verify optional’ - thats the thing that bothers me most…