HAProxy community

Client certificate verification for subdomain


I made a simple setup where I check for a given subdomain if a client certificate is valid or not.

The below configuration checks if dev.example.com subdomain is called. It uses a backend that checks if a client cert exists and if it is valid. For every other subdomain or the domain itself it uses another backend.

It works so far. However it does not recognise any client certs. Its just logs ssl_c_used as 0

Here is a pastebin link for the config https://pastebin.com/4QjitbtL

Line 80 log-format “capture1: ssl_fc %{+Q}[ssl_fc], ssl_c_used %{+Q}[ssl_c_used], ssl_fc_has_crt %{+Q}[ssl_fc_has_crt], ssl_c_verify %{+Q}[ssl_c_verify], ssl_c_i_dn %{+Q}[ssl_c_i_dn]”

The above logs the following:
Feb 6 18:17:59 example haproxy[2613]: capture0: dev.exampl
Feb 6 18:17:59 example haproxy[2613]: capture1: ssl_fc “1”, ssl_c_used “0”, ssl_fc_has_crt “0”, ssl_c_verify “0”, ssl_c_i_dn “”

If I set the cert as required then it fails at SSL handshake.

/etc/haproxy/certs contains a wild cart cert for my domain. It is from Digicert.

/etc/haproxy/certs/verify_certs/ca.pem was generated by me with:
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
cat ca.crt ca.key > ca.pem

The client cert then was generated with:
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
cat client.crt client.key > client_unp.pem

I am trying to test it with:
curl https://dev.example.com --cert-type pem --cert client_unp.pem --cacert …/…/ca.crt

I also tried to import client.pem in chrome to personal certificates. It imports but then does not show up in the list.

If I do it in windows in mmc then it shows up but Chrome still does not display it.

I am not sure if my certs are wrong or my config.

Can some spot the issue? Thanks!