Thanks for pointing out the missing ssl keyword. I added that but still seeing the same behavior. The ports are different because these HAProxy instances are docker containers. The right side one is listening to 443 in the container which is mapped to 9090 on the host. I should have mentioned that in the original post. Sorry for the confusion.
In any case even adding the ssl keyword I still see the same issue. Namely when I curl (the client box in the diagram) the HTTPS Server I get:
* Trying 172.16.42.4...
* TCP_NODELAY set
* Connected to foo.bar.net (172.16.42.4) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/etc/openssl/cert.pem
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (60) SSL certificate problem: self signed certificate
The only self signed certificates are the ones referenced by my HAProxy configs. The one that foo.bar.net presents is not. So it seems that curl is seeing one of these HAProxy certs.
What I thought I had configured was HAProxy on the left would accept a connection to and forward to the backend server 172.16.42.4:9090 which is the frontend to HAProxy (right). I wanted the backend of HAProxy left to present the client cert to HAProxy (right) frontend and HAProxy (right) frontend to present the referenced cert (server) to HAProxy (left) backend, the HAProxy server itself, not the client connection that is being proxied across it. It seems that the HAProxy server right’s server cert is being presented to the CURL client instead of HAProxy (left backend) itself. Maybe HAProxy can’t work like this?