Dovecot SSL Cert Problem

aaraya1516 · April 28, 2017, 7:49pm

I’m trying to loadbalance a few dovecot instances and the SSL cert being shown to the users is the dovecot server’s not the HAproxy version. The documentation for this is sparse and scattered, so I couldn’t make a perfect setup that gave valid ssl certs. Does each dovecot server need to have a cert with the haproxy domain for this to work?

Here’s my config:

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

listen webForward
        bind :443 ssl crt /etc/ssl/private/certprivkey.pem no-sslv3
        #mode tcp 
        reqadd X-Forwarded-Proto:\ https
        default_backend www-backend

backend www-backend
        redirect scheme https if !{ ssl_fc }
        #mode tcp
        balance roundrobin
        stick-table type ip size 200k expire 30m
        stick on src
        server s1 6x.xxx.xx.xxx:443

listen dovecot-imap
        bind :993 
        mode tcp
        #option ssl-hello-chk
        option http-keep-alive
        balance first
        tcp-check connect port 993
        tcp-check expect string *\ OK
        stick-table type ip size 200k expire 15m
        stick on src
        timeout server 1m
        timeout connect 1m
        timeout client 5m
        server s1 10.0.0.1:10993 send-proxy-v2
        server s2 10.0.0.2:10993 send-proxy-v2

lukastribus · April 28, 2017, 9:42pm

Do you want Haproxy to handle SSL and connect to the backend in cleartext (no SSL)?

Then you need to use the ssl keyword on the frontend, and a cleartext destination port on the backend.

Please check the following 4 changes:

**frontend** webForward <-- this is a frontend section, not a listen section
        bind :443 ssl crt /etc/ssl/private/certprivkey.pem no-sslv3
        #mode tcp 
        reqadd X-Forwarded-Proto:\ https
        default_backend www-backend

backend www-backend
        redirect scheme https if !{ ssl_fc }
        #mode tcp
        balance roundrobin
        stick-table type ip size 200k expire 30m
        stick on src
        server s1 6x.xxx.xx.xxx:**80** <--- cleartext port 80 here

listen dovecot-imap
        bind :993 **ssl crt /etc/ssl/private/certprivkey.pem no-sslv3** <-- specify the ssl keyword, along with certificate configuration here
        mode tcp
        #option ssl-hello-chk
        option http-keep-alive
        balance first
        tcp-check connect port 993
        tcp-check expect string *\ OK
        stick-table type ip size 200k expire 15m
        stick on src
        timeout server 1m
        timeout connect 1m
        timeout client 5m
        server s1 10.0.0.1:**143** send-proxy-v2 <-- should be a cleartext port!
        server s2 10.0.0.2:**143** send-proxy-v2 <-- should be a cleartext port!

aaraya1516 · April 29, 2017, 1:59am

That did the trick. But, lets say I didn’t have an encrypted subnet to protect the unencrypted traffic… could haproxy accept the dovecot ssl cert, but show the haproxy ssl cert?

lukastribus · April 29, 2017, 9:48am

Yes, to enable a “SSL client” towards your backend server, simply specify the ssl keyword:

server s1 10.0.0.1:10993 ssl send-proxy-v2
server s2 10.0.0.2:10993 ssl send-proxy-v2

aaraya1516 · April 29, 2017, 7:47pm

That did it. thank you!

Topic		Replies	Views
Trying to install SSL Cert for use with HAPROXY. No luck Help!	10	9952	January 7, 2019
Only HTTPS 502,521 error Help!	0	788	July 3, 2018
HAProxy unable to verify device certificate Help!	2	596	February 15, 2021
Haproxy w/ssl 'SSL handshake failure' Help!	3	3803	February 10, 2023
SSL termination does not work correctly (v2.0.8) Help!	3	1563	November 13, 2019

Dovecot SSL Cert Problem

Related Topics