HaProxy Load Balancer + vsftpd server

Help!
1

Hello all,

i need help how to configure haproxy + vsftpd with using of ssl/tls certificates.

I will show my configuration of both haproxy and vsftpd conf files, but first i want to say my problems.

  1. Problem
    When i have server certificate for vsftpd and haproxy LB just rerouting connection I’ve got error like
    Fatal error: Certificate verification: certificate common name doesn’t match requested host name ‘1.1.1.1.’

But when i put on vsftpd server, certificate from haproxy server everything works.

  1. Problem
    Now i want to have certificate check on haproxy + crl check. But when i put in my configuration of haproxy:
    ssl crt /etc/haproxy/ELZ_HAPROXY_DEV_IP-10-63-242-4_bundle_key_cert.pem ca-file /etc/haproxy/ELZ_CA_A1_1_bundle.crt

i got [FEAT negotiation…].

Here is my haproxy.cfg
frontend FTPES-frontend-login-21
bind 1.1.1.1:21 ssl crt /etc/haproxy/bundle_key_cert.pem ca-file /etc/haproxy/bundle.crt verify required
mode tcp
option tcplog
default_backend FTPES-backend-login-21

frontend FTPES04-frontend-data-21000-21200
bind 1.1.1.1:21000-21200
mode tcp
option tcplog
default_backend FTPES04-backend-data-21000-21200

backend FTPES-backend-login-21
mode tcp
balance roundrobin
server ftpes04 2.2.2.2 check port 21

backend FTPES04-backend-data-21000-21200
mode tcp
server ftpes04 2.2.2.2 check port 21

my vsftpd.conf:

SSL config

ssl_enable=YES
ssl_request_cert=YES
require_cert=YES
validate_cert=YES

force_local_data_ssl=YES
force_local_logins_ssl=YES
allow_anon_ssl=YES
force_anon_data_ssl=YES
force_anon_logins_ssl=YES

ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1=NO
ssl_tlsv1_1=NO
ssl_tlsv1_2=YES
ssl_ciphers=HIGH

Certificates

ca_certs_file=ca_bundle.crt
rsa_cert_file=server_cert.pem
rsa_private_key_file=priv_key.key.pem

SSL config end

User config

anonymous_enable=NO
local_enable=YES
guest_enable=YES
write_enable=YES
virtual_use_local_privs=YES
user_sub_token=$USER
local_root=/var/opt/ftpes/$USER
chroot_local_user=YES
allow_writeable_chroot=YES
hide_ids=YES
file_open_mode=0666
local_umask=0077
userlist_enable=YES

IP, port config

listen=YES
listen_port=21
listen_address=2.2.2.2
pasv_enable=YES
pasv_min_port=21000
pasv_max_port=21200
pasv_promiscuous=NO

IP address of Load Balancer 02

pasv_address=1.1.1.1
pasv_addr_resolve=NO
require_ssl_reuse=YES