CRL list problem

Hi, I have installed haproxy 1.8.7 and get problem with CRL list - even when I revoke a user’s certificate, the page appears to him.

test1 is my test user

  1. CERT REVOKE:
    openssl ca -config /root/ca/intermediate/openssl.cnf -revoke /root/ca/users_certs/test1/test1.crt

  2. REGENERATE CRL
    openssl ca -config /root/ca/intermediate/openssl.cnf -gencrl -out /root/ca/intermediate/crl/intermediate.crl

  3. ORDER CERT CHAIN IN HAPROXY CONFIG FILE (ca_chain.crt)
    — INTERMEDIATE CERT —
    — CA CERT —

  4. ORDER CRL CHAIN IN HAPORXY CONFIG FILE (crl.pem)
    — INTERMEDIATE CRL —
    — CA CRL —

  5. ORDER FILES IN my.page.pem FILE
    — PRIVATE KEY WITHOUT PASSWORD —
    — my.page CERT SIGNED BY INTERMEDIATE CERT —

  6. Full /etc/haproxy/haproxy.cfg
    global
    log /dev/log local0
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

             # Default SSL material locations
             ca-base /etc/ssl/certs
             crt-base /etc/ssl/private
    
             # Default ciphers to use on SSL-enabled listening sockets.
             # For more information, see ciphers(1SSL). This list is from:
             #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
             # An alternative list with additional directives can be obtained from
             #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
             ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
             ssl-default-bind-options no-sslv3
             maxconn 2048
             tune.ssl.default-dh-param 2048
    
     defaults
             log     global
             mode    http
             option forwardfor
             option http-server-close
             option  httplog
             option  dontlognull
             timeout connect 5000
             timeout client  50000
             timeout server  50000
             errorfile 400 /etc/haproxy/errors/400.http
             errorfile 403 /etc/haproxy/errors/403.http
             errorfile 408 /etc/haproxy/errors/408.http
             errorfile 500 /etc/haproxy/errors/500.http
             errorfile 502 /etc/haproxy/errors/502.http
             errorfile 503 /etc/haproxy/errors/503.http
             errorfile 504 /etc/haproxy/errors/504.http
             stats enable
             stats uri /stats
             stats realm Haproxy\ Statistics
             stats auth user:password
    
     frontend www-http_my-page
             bind 192.168.0.211:80
             reqadd X-Forwarded-Proto:\ http
             default_backend www-backend_my-page
    
     frontend www-https_my-page
             bind 192.168.0.211:443 transparent ssl crt /etc/ssl/private/my.page.pem ca-file /etc/haproxy/cert/ca_chain.crt verify required crt-ignore-err all crl-file /etc/haproxy/cert/crl.pem
             reqadd X-Forwarded-Proto:\ https
             default_backend www-backend_my-page
    
     backend www-backend_my-page
             redirect scheme https if !{ ssl_fc }
             balance roundrobin
             cookie SERVERID insert indirect nocache
             server web1 192.168.0.212:80 check cookie web1
             server web2 192.168.0.213:80 check cookie web2

Are you sure you are reloading haproxy after updating the CRL? Also I suggest you remove the option crt-ignore-err all entirely.

1 Like

@lukastribus thanks for your reply. When I removed crt-ignore-err all and restart haproxy all works well.
THANK YOU!