Hello,
I have a strange issue with crl-file.
Quick intro:
HAProxy 1.5.18-8.el7
CentOS Linux release 7.6.1810 (Core)
We use our internal CA runs on a Windows server. When i want to use it’s crl i have to do these steps.
- download root CA, intermediate CAs
- covert them to x509
- merge into one file (CRL.pem)
I always do these steps using a script. The script contains a part for controlling if there are a new revocation record in final crl - if yes, HAProxy is restarted due to upload fresh information from crl. The script is launched regulary once a day.
I use the result, CRL.pem, as part of this client certificate authentication.
bind abns@go_to_fe_application accept-proxy ssl crt /etc/haproxy/certs/ ca-file /etc/pki/ca-trust/source/anchors/CA.pem crl-file /etc/pki/tls/misc/CRL.pem verify required
And it works. But just about two days - i didn’t measure it exactly. And after that it sudenly stop without a clear reason. See the output from curl below:
curl --insecure --cert-type pem --cert davidmosler.pem -vvv https://mydomain.global
Rebuilt URL to: https://mydomain.global/
Trying 192.168.16.16…
TCP_NODELAY set
Connected to mydomain.global (192.168.16.16) port 443 (#0)
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
error setting certificate verify locations, continuing anyway:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
TLSv1.2 (OUT), TLS handshake, Client hello (1):
TLSv1.2 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (IN), TLS handshake, Server key exchange (12):
TLSv1.2 (IN), TLS handshake, Request CERT (13):
TLSv1.2 (IN), TLS handshake, Server finished (14):
TLSv1.2 (OUT), TLS handshake, Certificate (11):
TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
TLSv1.2 (OUT), TLS handshake, CERT verify (15):
TLSv1.2 (OUT), TLS change cipher, Client hello (1):
TLSv1.2 (OUT), TLS handshake, Finished (20):
TLSv1.2 (IN), TLS alert, Server hello (2):
error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired
Curl_http_done: called premature == 1
Closing connection 0
curl: (35) error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired
Well… alert certificate expired. But i would say that isn’t true:
My client certificate is valid.
openssl x509 -in davidmosler.pem -text | grep Validity -A 2
Validity
Not Before: May 16 09:24:35 2019 GMT
Not After : May 15 09:24:35 2020 GMT
And according this output I would guess that my crl is valid as well:
openssl crl -in CRL.pem -text | grep Issuer -A 2
Issuer: /CN=RootCA
Last Update: Jun 7 07:16:52 2019 GMT
Next Update: Jun 6 19:36:52 2020 GMT
But it doesn’t work. Unless I just move CRL.pem away (for later detailed inspection). Run the script mentioned before and restart HAProxy. Then I get:
HTTP/1.1 200 OK
I compared content of both CRL.pem files (old and new).
crl -in CRL.pem -noout -text > oldCRL.pem
crl -in CRL.pem -noout -text > newCRL.pem
diff oldCRL.pem newCRL.pem
And the result is nothing. Both contents are identical.
Has anybody any idea where could be a problem?
Thanks a lot in advance for your usefull hints.
David