HAProxy unable to verify device certificate


I’m trying to proxy traffic to our CRM-Server as I want to prevent accessing the server without a valid client certificate.

This is my configuration:

# Global settings

    log local0 debug
    chroot /var/lib/haproxy
    stats socket /var/lib/haproxy/stats mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private
    # Default ciphers to use on SSL-enabled listening sockets. For more information, see ciphers(1SSL). This list is from:
    # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended-configurations
    tune.ssl.default-dh-param 2048

# Defaults section

# Regarding timeout client and timeout server:
# https://discourse.haproxy.org/t/high-number-of-connection-resets-during-transfers-exchange-2013/1158/4

    log global
    mode http
    option dontlognull
    option http-keep-alive
    option prefer-last-server
    no option httpclose
    no option http-server-close
    balance leastconn
    default-server inter 3s rise 2 fall 3
    timeout client 600s
    timeout http-request 10s
    timeout connect 4s
    timeout server 60s

# Stats section
listen stats
    bind *:444 ssl crt /etc/ssl/crm.DOMAIN.com/crm.DOMAIN.com.pem
    stats enable
    stats refresh 30s
    stats show-node
    stats auth admin:1234
    stats uri /
    stats admin if TRUE # Administration allowed
    stats show-legends

# Main Front-Ends that proxy to the Back-Ends

frontend fe_default
    bind *:80 name http
    bind *:443 name https ssl crt /etc/ssl/crm.DOMAIN.com/crm.DOMAIN.com.pem ca-file /etc/ssl/DOMAIN_CRM_Device_CA.crt verify required crt-ignore-err all
    http-request set-header X-SSL                       %[ssl_fc]
    http-request set-header X-SSL-Client-Verify         %[ssl_c_verify]
    http-request set-header X-SSL-Client-SHA1           %{+Q}[ssl_c_sha1]
    http-request set-header X-SSL-Client-DN             %{+Q}[ssl_c_s_dn]
    http-request set-header X-SSL-Client-CN             %{+Q}[ssl_c_s_dn(cn)]
    http-request set-header X-SSL-Issuer                %{+Q}[ssl_c_i_dn]
    http-request set-header X-SSL-Client-Not-Before     %{+Q}[ssl_c_notbefore]
    http-request set-header X-SSL-Client-Serial         %{+Q}[ssl_c_serial,hex]
    http-request set-header X-SSL-Client-Version        %{+Q}[ssl_c_version]
    capture request header Host len 32
    capture request header User-Agent len 64
    capture response header Content-Length len 10
    maxconn 50000
    acl ssl_connection ssl_fc
    acl letsencrypt path_beg /.well-known/acme-challenge/
    acl is_web_path path_beg -i /updateCRM_web
    acl is_pad_path path_beg -i /updateCRM_pad
    acl path_check path_end -i HealthCheck.htm
    http-request redirect scheme https code 302 unless ssl_connection
    http-request redirect scheme https code 301 if !{ ssl_fc }
    http-request deny if path_check
    use_backend be_crm if is_web_path
    use_backend be_crm if is_pad_path
    default_backend be_nomatch

# Back-Ends

backend be_letsencrypt
    server letsencrypt
backend be_nomatch
    errorfile 503 /etc/haproxy/errors/400.http

backend be_crm
    server crmprod ssl verify none maxconn 20000 weight 10 check

HAProxy starts up fine, without errors but unfortunately is unable to verfy my certificate. As you can see I have added crt-ignore-err all to line 64, but the result is the same as before.

My Browser prompts to select a certificate:
but after selecting it just shows an error:

I tried to create the certificates as mentioned here: Client Certificate Authentication with HAProxy

Any ideas as to why HAProxy cannot validate the certifcates?
Also, /var/log/haproxy.log shows nothing helpful.

No idea?

I’d suggest you run a test with openssl s_server in the same configuration then haproxy and see what happens. Very likely openssl s_server is able to give better (debug) output to troubleshoot this then haproxy.