Haproxy as server with CA signed cert to fetch self-signed client certificate

deepagarhaproxy · August 9, 2016, 1:06pm

Hello,

I need an urgent help.

I have HAProxy in server mode, having CA signed certificate.
I have client with self-signed certificate.

My requirement are following: HAProxy should
a. fetch client certificate
b. Do not verify client certificate

Please suggest how to fulfill this requirement.

a. The below config in frontend is validating client self-signed cert using CA ca.crt, but client cert is self signed.

HAProxy error: SSL client certificate not trusted
bind *:8443 ssl crt /etc/haproxy/server.pem ca-file /etc/haproxy/ca.crt verify optional ca-ignore-err all

b. The below config errors on haproxy start saying ca-file needed with verify optional

bind *:8443 ssl crt /etc/haproxy/server.pem verify optional ca-ignore-err all

c. The below config does not request client cert

bind *:8443 ssl crt /etc/haproxy/server.pem ca-file /etc/haproxy/ca.crt verify none ca-ignore-err all

d. The below config does not request client cert

bind *:8443 ssl crt /etc/haproxy/server.pem ca-ignore-err all

Thanks,
Deepak

deepagarhaproxy · August 9, 2016, 3:44pm

@thierry @lukastribus Please help with this problem statement.

lukastribus · August 9, 2016, 6:08pm

Since the certificate is self-signed, use:
crt-ignore-err all

instead of:
ca-ignore-err all

The latter ignore errors with intermediate certificates/root’s, but you have an error with the actual certificate (depth == 0), which is why you need to use the former:

http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#5.1-crt-ignore-err

deepagarhaproxy · August 10, 2016, 2:35am

Thanks this worked for me!
crt-ignore-err all

Syntax:
crt-ignore-err <errors

How could I find the specific crt error applicable in this case?
I don’t see error-id in HAProxy logs, is there better way to find all error-ids from HAProxy code or otherwise. Please share the pointers.

I would like to ignore specific error instead of ignoring ‘all’ errors.

lukastribus · August 11, 2016, 2:36pm

Error codes are defined in openssl’s include/openssl/x509_vfy.h:

github.com

openssl/openssl/blob/master/include/openssl/x509_vfy.h#L99




# define X509_L_FILE_LOAD        1
# define X509_L_ADD_DIR          2


# define X509_LOOKUP_load_file(x,name,type) \
X509_LOOKUP_ctrl((x),X509_L_FILE_LOAD,(name),(long)(type),NULL)


# define X509_LOOKUP_add_dir(x,name,type) \
X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL)


# define         X509_V_OK                                       0
# define         X509_V_ERR_UNSPECIFIED                          1
# define         X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT            2
# define         X509_V_ERR_UNABLE_TO_GET_CRL                    3
# define         X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE     4
# define         X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE      5
# define         X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY   6
# define         X509_V_ERR_CERT_SIGNATURE_FAILURE               7
# define         X509_V_ERR_CRL_SIGNATURE_FAILURE                8
# define         X509_V_ERR_CERT_NOT_YET_VALID                   9
# define         X509_V_ERR_CERT_HAS_EXPIRED                     10

You can find a more verbose explanation of those errors in the openssl docs:
https://www.openssl.org/docs/manmaster/apps/verify.html

deepagarhaproxy · August 11, 2016, 3:38pm

Thanks a lot! @lukastribus

Topic		Replies	Views
Opportunistic client certificate validation Help!	2	1338	August 17, 2017
SSL client certificate not trusted Help!	6	5518	November 15, 2021
Client certificate auth blocks access for some certs Help!	3	2100	October 6, 2020
Haroxy client certificat pb Help!	0	379	November 11, 2021
Certificate not trusted/unknown once CRL is configured Help!	5	1880	November 15, 2021

Haproxy as server with CA signed cert to fetch self-signed client certificate

Related topics