Haproxy 2.0.0 with self signed cert Mysql handshake failure

Hi there
I have a big issue regarding connection Haproxy to mysql throught ssl with mysql self signed cert.
Below my cfg
log local0
user haproxy
group haproxy
maxconn 10000
stats socket ipv4@ level admin
stats socket /var/run/haproxy.sock mode 666 level admin
stats timeout 2m
ssl-server-verify none
tune.ssl.default-dh-param 2028
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256

log global
retries 2
timeout connect 5000
timeout server 50000
timeout client 50000

listen stats
bla bla bla for webif…

listen Databases_QA
bind :3307 ssl crt /etc/haproxy/cert-qa/full-client.pem
mode tcp
option ssl-hello-chk
option mysql-check user haproxy
balance roundrobin
server DBQ01 10.x.x.1:3306 ssl crt /etc/haproxy/cert-qa/full-client.pem verifycheck maxconn 2000 inter 4000
server DBQ02 10.x.x.2:3306 ssl crt /etc/haproxy/cert-qa/full-client.pem verify none check maxconn 2000 backup inter 4000

Each time same error: “SSL Handshake failure” or “SSL Handshake failer (Broken Pipe)”

full-client.pem is a cut/paste of mysql self signed cert client-key.pem client-cert.pem, this is wrong?
under mysql folder i have a lot of files, which of this i need to use?


Please could you help me?

The verify here means haproxy needs to verify the certificate presented by the MySQL server and since that cert is self signed it can not do so. Either point haproxy to the CA of the self signed cert (or the cert itself) or try with verify none .

hi Igor and thanks for your help…please forget this line
server DBQ01 10.x.x.1:3306 ssl crt /etc/haproxy/cert-qa/full-client.pem verifycheck maxconn 2000 inter 4000
because i comment it like this
#server DBQ01 10.x.x.1:3306 ssl crt /etc/haproxy/cert-qa/full-client.pem verifycheck maxconn 2000 inter 4000
but i have the same error, problem is on DBQ02

As per usual you start by manually verifying that your cert will work, use openssl lets say to do that to connect from haproxy server to the mysql service.

Also you are not clear about the error. Where do you see that error, on the client side or haproxy? If you see it on the client side (the client talking to haproxy) that is also expected since the client would need to have the self signed certificate itself in order to verify it (you are using the same cert as haproxy certificate too):

bind :3307 ssl crt /etc/haproxy/cert-qa/full-client.pem

That’s the thing when working with self signed certificates, you need to distribute the self signed cert to every client connecting.