HAProxy community

Construct_ca_names error on haproxy

Haproxy version: 2.1.4
I am getting the below errors continuously.

OpenSSL error[0x14228044] construct_ca_names: internal error

I browsed through the internet and got this
https://mta.openssl.org/pipermail/openssl-users/2018-October/009003.html

Any help is appreciated.

in continuation with the OpenSSL error - construct_ca_names , tried the following option no-ca-names, https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-no-ca-names
Any side affect of using this configuration… when should one use/not use it?

Share the configuration, the output of haproxy -vv and explain what you are trying to achieve.

I don’t have a clue about what you are trying to achieve, maybe start with the basics here?

@lukastribus please find the details here

haproxy -vv haproxy.cfg

HA-Proxy version 2.1.4 2020/04/02 - https://haproxy.org/
Status: stable branch - will stop receiving fixes around Q1 2021.
Known bugs: http://www.haproxy.org/bugs/bugs-2.1.4.html
Build options :
TARGET = linux-glibc
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-overflow -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1
Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED -REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_THREADS=64, default=4).
Built with OpenSSL version : OpenSSL 1.1.1d 10 Sep 2019
Running on OpenSSL version : OpenSSL 1.1.1d 10 Sep 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE2 version : 10.32 2018-09-10
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with the Prometheus exporter as a service
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as cannot be specified using ‘proto’ keyword)
h2 : mode=HTTP side=FE|BE mux=H2
fcgi : mode=HTTP side=BE mux=FCGI
: mode=HTTP side=FE|BE mux=H1
: mode=TCP side=FE|BE mux=PASS
Available services :
prometheus-exporter
Available filters :
[SPOE] spoe
[CACHE] cache
[FCGI] fcgi-app
[TRACE] trace
[COMP] compression

haproxy.cfg

global
log /Users/abhay/_log local0 debug
stats socket /Users/abhay/haproxy.sock level admin
ca-base /Users/abhay/server
crt-base /Users/abhay/server
tune.ssl.cachesize 0
tune.bufsize 16384
tune.maxrewrite 1024
tune.ssl.default-dh-param 2048
spread-checks 4
nbproc 2

defaults
log global
mode http
option httplog
option log-health-checks
log /dev/log local6
timeout connect 10s
timeout client 30s
timeout server 30s

frontend website
bind :8998 ssl crt server.pem ca-file root.pem verify
log global
option httplog
default_backend goserver

backend goserver
balance roundrobin
option httplog
log global
option httpchk GET /
server server1 127.0.0.1:8999 check maxconn 30

The root.pem contains close to 400 entries. When the clients are connected the haproxy errors out with the
OpenSSL error[0x14228044] construct_ca_names: internal error
Figured out that when the certs were brought down to 381 things just worked fine. Upon searching on the internet, I found this open ssl url
https://mta.openssl.org/pipermail/openssl-users/2018-October/009003.html

Modified the configuration above and used no-ca-names in the configuration

frontend website
bind :8998 ssl crt server.pem no-ca-names ca-file root.pem verify
log global
option httplog
default_backend goserver

Things are working just fine.

However I am not sure what are the other side affects of using no-ca-names .
I want to understand if the usage is right and if I will not run into any other issues? The haproxy documentation doesn’t have enough details

Why would you every have 400 entries in the CA file? A CA file is supposed to have a single certificate in there.