Hello,
I need an urgent help.
I have HAProxy in server mode, having CA signed certificate.
I have client with self-signed certificate.
My requirement are following: HAProxy should
a. fetch client certificate
b. Do not verify client certificate
Please suggest how to fulfill this requirement.
a. The below config in frontend is validating client self-signed cert using CA ca.crt, but client cert is self signed.
HAProxy error: SSL client certificate not trusted
bind *:8443 ssl crt /etc/haproxy/server.pem ca-file /etc/haproxy/ca.crt verify optional ca-ignore-err all
b. The below config errors on haproxy start saying ca-file needed with verify optional
bind *:8443 ssl crt /etc/haproxy/server.pem verify optional ca-ignore-err all
c. The below config does not request client cert
bind *:8443 ssl crt /etc/haproxy/server.pem ca-file /etc/haproxy/ca.crt verify none ca-ignore-err all
d. The below config does not request client cert
bind *:8443 ssl crt /etc/haproxy/server.pem ca-ignore-err all
Thanks,
Deepak
@thierry @lukastribus Please help with this problem statement.
Since the certificate is self-signed, use:
crt-ignore-err all
instead of:
ca-ignore-err all
The latter ignore errors with intermediate certificates/root’s, but you have an error with the actual certificate (depth == 0), which is why you need to use the former:
http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#5.1-crt-ignore-err
Thanks this worked for me!
crt-ignore-err all
Syntax:
crt-ignore-err <errors
How could I find the specific crt error applicable in this case?
I don’t see error-id in HAProxy logs, is there better way to find all error-ids from HAProxy code or otherwise. Please share the pointers.
I would like to ignore specific error instead of ignoring ‘all’ errors.
Error codes are defined in openssl’s include/openssl/x509_vfy.h:
# define X509_L_FILE_LOAD 1
# define X509_L_ADD_DIR 2
# define X509_LOOKUP_load_file(x,name,type) \
X509_LOOKUP_ctrl((x),X509_L_FILE_LOAD,(name),(long)(type),NULL)
# define X509_LOOKUP_add_dir(x,name,type) \
X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL)
# define X509_V_OK 0
# define X509_V_ERR_UNSPECIFIED 1
# define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2
# define X509_V_ERR_UNABLE_TO_GET_CRL 3
# define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4
# define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5
# define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6
# define X509_V_ERR_CERT_SIGNATURE_FAILURE 7
# define X509_V_ERR_CRL_SIGNATURE_FAILURE 8
# define X509_V_ERR_CERT_NOT_YET_VALID 9
# define X509_V_ERR_CERT_HAS_EXPIRED 10
You can find a more verbose explanation of those errors in the openssl docs:
https://www.openssl.org/docs/manmaster/apps/verify.html
Thanks a lot! @lukastribus