HAProxy unable to verify device certificate

farosch · February 1, 2021, 10:30am

Hi,

I’m trying to proxy traffic to our CRM-Server as I want to prevent accessing the server without a valid client certificate.

This is my configuration:

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------

global
    log 127.0.0.1 local0 debug
    chroot /var/lib/haproxy
    stats socket /var/lib/haproxy/stats mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon
    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private
    # Default ciphers to use on SSL-enabled listening sockets. For more information, see ciphers(1SSL). This list is from:
    # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended-configurations
    ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!AESCCM
    tune.ssl.default-dh-param 2048

#---------------------------------------------------------------------
# Defaults section
#---------------------------------------------------------------------

# Regarding timeout client and timeout server:
# https://discourse.haproxy.org/t/high-number-of-connection-resets-during-transfers-exchange-2013/1158/4

defaults
    log global
    mode http
    option dontlognull
    option http-keep-alive
    option prefer-last-server
    no option httpclose
    no option http-server-close
    balance leastconn
    default-server inter 3s rise 2 fall 3
    timeout client 600s
    timeout http-request 10s
    timeout connect 4s
    timeout server 60s

#-------------------------------------------------------
# Stats section
#-------------------------------------------------------
 
listen stats
    bind *:444 ssl crt /etc/ssl/crm.DOMAIN.com/crm.DOMAIN.com.pem
    stats enable
    stats refresh 30s
    stats show-node
    stats auth admin:1234
    stats uri /
    stats admin if TRUE # Administration allowed
    stats show-legends

#---------------------------------------------------------------------
# Main Front-Ends that proxy to the Back-Ends
#---------------------------------------------------------------------

frontend fe_default
    bind *:80 name http
    bind *:443 name https ssl crt /etc/ssl/crm.DOMAIN.com/crm.DOMAIN.com.pem ca-file /etc/ssl/DOMAIN_CRM_Device_CA.crt verify required crt-ignore-err all
    
    http-request set-header X-SSL                       %[ssl_fc]
    http-request set-header X-SSL-Client-Verify         %[ssl_c_verify]
    http-request set-header X-SSL-Client-SHA1           %{+Q}[ssl_c_sha1]
    http-request set-header X-SSL-Client-DN             %{+Q}[ssl_c_s_dn]
    http-request set-header X-SSL-Client-CN             %{+Q}[ssl_c_s_dn(cn)]
    http-request set-header X-SSL-Issuer                %{+Q}[ssl_c_i_dn]
    http-request set-header X-SSL-Client-Not-Before     %{+Q}[ssl_c_notbefore]
    http-request set-header X-SSL-Client-Serial         %{+Q}[ssl_c_serial,hex]
    http-request set-header X-SSL-Client-Version        %{+Q}[ssl_c_version]
    
    capture request header Host len 32
    capture request header User-Agent len 64
    capture response header Content-Length len 10
    maxconn 50000
    acl ssl_connection ssl_fc
    acl letsencrypt path_beg /.well-known/acme-challenge/
    acl is_web_path path_beg -i /updateCRM_web
    acl is_pad_path path_beg -i /updateCRM_pad
    acl path_check path_end -i HealthCheck.htm
    http-request redirect scheme https code 302 unless ssl_connection
    http-request redirect scheme https code 301 if !{ ssl_fc }
    http-request deny if path_check
    use_backend be_crm if is_web_path
    use_backend be_crm if is_pad_path
    default_backend be_nomatch

#---------------------------------------------------------------------
# Back-Ends
#---------------------------------------------------------------------

backend be_letsencrypt
    server letsencrypt 127.0.0.1:8888
    
backend be_nomatch
    errorfile 503 /etc/haproxy/errors/400.http

backend be_crm
    server crmprod 10.32.0.170:443 ssl verify none maxconn 20000 weight 10 check

HAProxy starts up fine, without errors but unfortunately is unable to verfy my certificate. As you can see I have added crt-ignore-err all to line 64, but the result is the same as before.

My Browser prompts to select a certificate:
ImageGlass_meoPmzUkUB
but after selecting it just shows an error:

I tried to create the certificates as mentioned here: Client Certificate Authentication with HAProxy

Any ideas as to why HAProxy cannot validate the certifcates?
Also, /var/log/haproxy.log shows nothing helpful.

farosch · February 15, 2021, 12:58pm

No idea?
Anybody?

lukastribus · February 15, 2021, 10:52pm

I’d suggest you run a test with openssl s_server in the same configuration then haproxy and see what happens. Very likely openssl s_server is able to give better (debug) output to troubleshoot this then haproxy.

Topic		Replies	Views
Trying to install SSL Cert for use with HAPROXY. No luck Help!	10	9924	January 7, 2019
HTTPS ReverseProxy + Basic authentification Help!	6	2795	October 11, 2017
Configuration ssl <NOSRV> -1/-1/-1/-1/0 503 212 - - SC-- Configuration Samples	4	1212	February 13, 2023
SSL passthrough conditions not working, everything sent to default_backend Help!	2	725	November 5, 2021
Haproxy 2.8 uses self signed certificate - where does it take it from? Help!	6	233	November 9, 2023

HAProxy unable to verify device certificate

Related Topics