Getting HAProxy to use TLS towards backend fails


I’m quite new to HAProxy, so please bear with me if I seem to be a bit confused.

I’m using
HAProxy version 2.6.9-1

Built with OpenSSL version : OpenSSL 1.1.1n 15 Mar 2022
Running on OpenSSL version : OpenSSL 1.1.1n 15 Mar 2022
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3

I have an application running that can’t use TLS. I’m trying to ‘hide’ it behind HAProxy so that when the application POST’s to a messagebroker, it goes through HAProxy which then changes the transmission to https.
This is my setup:
backend tx-mbroker
timeout connect 5000
timeout server 50000
retries 3
server ssl verify required ca-file /etc/haproxy/certs/MbrokerCA.pem crt /etc/haproxy/certs/ check check-sni
http-request set-header Host
http-request set-header X-Proto https

Unfortunately the message broker(citrix netscaler) claims that HAproxy doesn’t present a TLS certificate and drops the connection.

What am I doing wrong?



It turned out that I was not really doing anything wrong. A wireshark trace on the interface uncovered that there were some inconsistencies in the certificate chains(got ssl errors saying that the CA was unknown etc.).
After changing ca-file from /etc/haproxy/certs/MbrokerCA.pem which should be sufficient to: /etc/ssl/certs things started working. I then added 'sni str( to ensure that I only send to the right host.

Had I only tried the ssl verify none option I could probably have saved some time.

I hope this will help someone else out in case they run into the same issues.