Haproxy as server with CA signed cert to fetch self-signed client certificate


#1

Hello,

I need an urgent help.

I have HAProxy in server mode, having CA signed certificate.
I have client with self-signed certificate.

My requirement are following: HAProxy should
a. fetch client certificate
b. Do not verify client certificate

Please suggest how to fulfill this requirement.

a. The below config in frontend is validating client self-signed cert using CA ca.crt, but client cert is self signed.

HAProxy error: SSL client certificate not trusted
bind *:8443 ssl crt /etc/haproxy/server.pem ca-file /etc/haproxy/ca.crt verify optional ca-ignore-err all

b. The below config errors on haproxy start saying ca-file needed with verify optional

bind *:8443 ssl crt /etc/haproxy/server.pem verify optional ca-ignore-err all

c. The below config does not request client cert

bind *:8443 ssl crt /etc/haproxy/server.pem ca-file /etc/haproxy/ca.crt verify none ca-ignore-err all

d. The below config does not request client cert

bind *:8443 ssl crt /etc/haproxy/server.pem ca-ignore-err all

Thanks,
Deepak


#2

@thierry @lukastribus Please help with this problem statement.


#3

Since the certificate is self-signed, use:
crt-ignore-err all

instead of:
ca-ignore-err all

The latter ignore errors with intermediate certificates/root’s, but you have an error with the actual certificate (depth == 0), which is why you need to use the former:

http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#5.1-crt-ignore-err


#4

Thanks this worked for me!
crt-ignore-err all

Syntax:
crt-ignore-err <errors

How could I find the specific crt error applicable in this case?
I don’t see error-id in HAProxy logs, is there better way to find all error-ids from HAProxy code or otherwise. Please share the pointers.

I would like to ignore specific error instead of ignoring ‘all’ errors.


#5

Error codes are defined in openssl’s include/openssl/x509_vfy.h:

You can find a more verbose explanation of those errors in the openssl docs:
https://www.openssl.org/docs/manmaster/apps/verify.html


#6

Thanks a lot! @lukastribus