HAProxy SSL handshake failure - unknown CA Error


#1

I’ve a haproxy setup with tcp mode ssl configuration [ to offload ssl sockets traffic]. But Socket is not connecting from client.

To debug the problem I run sniffer, it shows Alert Message as “Unknown CA (48)”.

Firefox browser version - 49.0 [ Ubuntu 16.04 LTS]

HAProxy config entry:

frontend wapp1
bind 10.11.12.202:8080 ssl crt /tmp/crt.pem ca-file /tmp/ca.pem verify optional crt-ignore-err all
default_backend app1

Certificates seems good. I checked it through openssl

[root@webserver3 ~]# openssl verify -CAfile ca.pem verbose crt.pem 
crt.pem: OK
[root@webserver3 ~]# 

Error:
SSL handshake failure

the problem comes in production env. Kindly someone help me on this


#2

Even I tried to escape CA error by adding the below extension in the configuration file, but still not working.
ca-ignore-all.

Entry seems to be like,
bind 10.11.12.202:8080 ssl crt /tmp/crt.pem ca-file /tmp/ca.pem verify optional ca-ignore-err all

Above entry too doesn’t fix the issue. Any help ?. Thanks .


#3

You are configuring client certificates, so you installed a certificate in your browser, is that correct?

Is the error (Unkown CA) coming from the browser or from haproxy?


#4

yes, I configured client certificate and Browsers has a Root&Intermediate CA installed.

Unknown CA error comes from Client Browser. Tested this on Ubuntu 16.04 LTS ( Firefox 49.0 , Firefox 50.0) .
Both shows same error.


#5

That means the browser doesn’t recognize the CA (its about validating the server certificate), and therefor you are looking at the wrong place. Make sure the Browser knows about this CA and that intermediate certificates are send if necessary.

Is this a public CA or a private CA?


#6

Its a Public CA.

I am sending a certificate chain from the server(HaProxy ) and when I access the site in chrome it works but don’t work on firefox on the same machine ( runs Ubuntu ). But I tried accessing the same site from a Windows machine at it worked on both the browsers.

Firefox version : 50.1 ( same on both windows & linux )
Site contains action script that uses a SSL socket to connect to the backend server.


#7

Something is wrong with your certificate chain. Some browser will work because they have the intermediate certificate in the cache, those browser that don’t have the intermediate certificate in the cache, cannot validate the certificate.

If the site is online, you can just use the SSL test here:
https://www.ssllabs.com/ssltest/

It will tell you exactly what’s wrong with the chain.


#8

I checked the site SSL in ssllabs. But it didn’t report any errors. It says " Certificates are Ok"

Screenshot for your reference. Any suggestions please ?


#9

Share section “Additional Certificates”.


#10

Pls find the details below

Additional Certificates :

Certificate Path:


#11

Can you provide the exact error message you get in your browser please?

Does your browser trust the GlobalSign Root CA? It should, but if you removed it manually from the browser, it won’t.


#12

I see error message only in HAProxy log " SSL handshake failure". Couldn’t see any error in Browsers, It just closed the connection.

But I catch this “Unknown CA” error message when I snif the traffic on the interface.

Yes, CA Installed in Browser.Attached screenshot for your reference,


#13

Consider taking a look at your browser logs, but I certainly don’t have enough informations here to find the culprit.