The folder “/myfolder/ssl/certs” contains many server certficates. File “trusted_ca.pem” contains all the certification authorities that issued the certificates.
We are using “verify optional” because we have servers that need to be protected by SSL client authentication and others that don’t.
Problem: some legitimate client connections seem to be blocked with the following reason : xxx.xxx.xxx.xxx:14648 [28/Feb/2025:08:12:23.949] https/1: SSL client certificate not trusted
We are pretty sure that we have included all the necessary authorities in the “trusted_ca.pem” file.
And when we have this error, no information about the content of the certificate presented is displayed in log (no DN, no issuer…) ! The “log-format” directive doesn’t seem to be working with SSL error.
Question : how to have more informations about the client certificate even if a connection error occurs ?
I’m not sure if you can have two “crl-file” directives but maybe someone can correct me on that.
I do something similar, I’ve multiple client certificate issuing CAs and I’ve concatenated them all into a single CA file.
What I did notice is that it worked fine without a CRL file but, once I did add a CRL file, it had to have an entry corresponding to every CA e.g., if I had 3 issuing CAs in the CA file but only two CRLs in the CRL file it wouldn’t work. It was a while ago so I don’t recall exactly what didn’t work e.g., was it only the certs from the CA with the missing CRL that didn’t work or was it all of them.
Maybe try without the CRL files for testing purposes?
I have tested without CRL files and I don’t have no further information in logs about the customer certificate presented.
The more global problem we’re facing is that we have some partners who connect with client certificates and others who don’t. We therefore set up an https frontend with optional verification of the client certificates presented. However, it seems that some client software programs don’t understand the optional certificate presentation parameter correctly, and the connection fails.
To get around the problem, here’s the solution we’ve come up with (loop inside HAProxy):
frontend tcp-443
bind *:443
mode tcp
option tcplog
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
# App1 is not protected by client cert
acl sni_prodroc req_ssl_sni -i app1-without-client-cert.mydomain.com
use_backend dummy_backend_without_client_cert if app1-without-client-cert.mydomain.com
# App2 is protected by client cert
acl sni_prodroc req_ssl_sni -i app1-with-client-cert.mydomain.com
use_backend dummy_backend_with_client_cert if app2-with-client-cert.mydomain.com
backend dummy_backend_without_client_cert
mode tcp
server dummy_frontend_without_client_cert 127.0.0.1:5401 send-proxy
frontend dummy_frontend_without_client_cert
bind 127.0.0.1:5401 accept-proxy ssl crt /ssl/app1-without-client-cert.mydomain.com strict-sni
mode http
option forwardfor
use_backend backend_app1
backend backend_app1
mode http
server myapp1server 192.168.1.10:8080
backend dummy_backend_with_client_cert
mode tcp
server dummy_frontend_with_client_cert 127.0.0.1:5402 send-proxy
frontend dummy_frontend_with_client_cert
bind 127.0.0.1:5402 accept-proxy ssl crt /ssl/app2-with-client-cert.mydomain.com strict-sni ca-file /ssl/trusted_client_ca.pem verify required
mode http
option forwardfor
use_backend backend_app2
backend backend_app2
mode http
server myapp2server 192.168.1.20:8080