HAProxy community

Crl-file causes client authentication failure

Hello,
I have a strange issue with crl-file.

Quick intro:
HAProxy 1.5.18-8.el7
CentOS Linux release 7.6.1810 (Core)

We use our internal CA runs on a Windows server. When i want to use it’s crl i have to do these steps.

  • download root CA, intermediate CAs
  • covert them to x509
  • merge into one file (CRL.pem)

I always do these steps using a script. The script contains a part for controlling if there are a new revocation record in final crl - if yes, HAProxy is restarted due to upload fresh information from crl. The script is launched regulary once a day.

I use the result, CRL.pem, as part of this client certificate authentication.
bind abns@go_to_fe_application accept-proxy ssl crt /etc/haproxy/certs/ ca-file /etc/pki/ca-trust/source/anchors/CA.pem crl-file /etc/pki/tls/misc/CRL.pem verify required

And it works. But just about two days - i didn’t measure it exactly. And after that it sudenly stop without a clear reason. See the output from curl below:

curl --insecure --cert-type pem --cert davidmosler.pem -vvv https://mydomain.global
Rebuilt URL to: https://mydomain.global/
Trying 192.168.16.16…
TCP_NODELAY set
Connected to mydomain.global (192.168.16.16) port 443 (#0)
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
error setting certificate verify locations, continuing anyway:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
TLSv1.2 (OUT), TLS handshake, Client hello (1):
TLSv1.2 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (IN), TLS handshake, Server key exchange (12):
TLSv1.2 (IN), TLS handshake, Request CERT (13):
TLSv1.2 (IN), TLS handshake, Server finished (14):
TLSv1.2 (OUT), TLS handshake, Certificate (11):
TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
TLSv1.2 (OUT), TLS handshake, CERT verify (15):
TLSv1.2 (OUT), TLS change cipher, Client hello (1):
TLSv1.2 (OUT), TLS handshake, Finished (20):
TLSv1.2 (IN), TLS alert, Server hello (2):
error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired
Curl_http_done: called premature == 1
Closing connection 0
curl: (35) error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired

Well… alert certificate expired. But i would say that isn’t true:

My client certificate is valid.

openssl x509 -in davidmosler.pem -text | grep Validity -A 2
Validity
Not Before: May 16 09:24:35 2019 GMT
Not After : May 15 09:24:35 2020 GMT

And according this output I would guess that my crl is valid as well:

openssl crl -in CRL.pem -text | grep Issuer -A 2
Issuer: /CN=RootCA
Last Update: Jun 7 07:16:52 2019 GMT
Next Update: Jun 6 19:36:52 2020 GMT

But it doesn’t work. Unless I just move CRL.pem away (for later detailed inspection). Run the script mentioned before and restart HAProxy. Then I get:

HTTP/1.1 200 OK

I compared content of both CRL.pem files (old and new).

crl -in CRL.pem -noout -text > oldCRL.pem
crl -in CRL.pem -noout -text > newCRL.pem
diff oldCRL.pem newCRL.pem

And the result is nothing. Both contents are identical.

Has anybody any idea where could be a problem?
Thanks a lot in advance for your usefull hints.
David

I suggest you take haproxy out of the picture and just use a OpenSSL test server with those parameters, to check where the issue is.

I guess it would look something link this (using SSL port 10443):

openssl s_server -port 10443 -cert /etc/haproxy/certs/mydomain.global.pem \
-CAfile /etc/pki/ca-trust/source/anchors/CA.pem \
-CRLform /etc/pki/tls/misc/CRL.pem \
-Verify -crl_check_all

Hello Lukas, thanks a lot for your reply. Good idea, I will do that.