HAProxy community

How can I verify backend server use root CA file?

#1
global
	tune.ssl.default-dh-param 2048
defaults
	log 127.0.0.1:514 user
	timeout connect 5000ms
	timeout client 5000ms
	timeout server 5000ms
	mode http
	option httplog
listen reverse-proxy
	bind 127.0.0.1:80
	acl test_acl hdr_end(host) -i wikipedia.org
	use_backend wikipedia if test_acl
backend wikipedia
	server wikipedia-server 208.80.153.224:443 ssl verify required ca-file /home/test/haproxy-certificate/GlobalSignRootCA.crt

For example www.wikipedia.org , I try to export the root CA of www.wikipedia.org from Firefox but it doesn’t work and complain with one haproxy 503 page.
If I export the whole certification chain of *.wikipedia.rog it is works, but I just want to verify the root CA because root CA almost never expired.

0 Likes