HAProxy community

Crl-file causing SSL_ERROR_EXPIRED_CERT_ALERT


#1

Using v1.8.10 on RHEL 7, I get the mentioned error in Firefox where the HTTPS frontend bind is as follows:

bind <IP>:443 name https ssl crt <server pem> ca-file <ca pem> verify required crl-file <x509>

I’m pretty confident the crt, ca and crl files are correct.

I get the same error using “verify optional”

If I add “crt-ignore-err all”, I get SSL_ERROR_UNKNOWN_CA_ALERT

If I add "crt-ignore-err all ca-ignore-err all ", I get “page isn’t redirecting properly. problem may be caused by disabling or refusing to accept cookies”

Without crl-file , the application works successfully.

Any ideas to correct or debug?


#2

Well the error says that the certificate is expired, but perhaps it is the crl file that is actually expired.

Can you check:

openssl crl -in <your-crl-file-here> -text


#3

Under Issuer, has Last Update of May 2018 and Next Update of May 2019.

Under Revoked Certificates, it has Revocation Date of May 2007 & Invalidity Date of May 2007.

Does this mean it’s expired?


#4

Which certificate does it refer to as revoked? If that’s the client certificate you are using, then yes, it means the client certificate was revoked by the CA, and when using the CRL, it is denied.