In a same frontend haproxy we would like to configure certificate authentication.
We have two differents sources of certificates : official client certificates and internal unofficial certificates.
- In the configuration for the frontend the first instruction after verify ca-file parameter is the base directory of the OS (/etc/ssl/certs)
- In the configuration for the frontend the second instruction after verify ca-file parameter is an other directory where we have specific certificates for client authentication
bind XX.XX.XX.XX:7000 ssl crt /etc/ssl/custom-certificat-list/haproxy/ verify required ca-file /etc/ssl/certs/ca-certificates.crt ca-file /etc/client-certificates/
We have an issue when the client presents his certificate and his chain to the server : haproxy server said he cannot validate the chain of the certificate (which is in the second directory).
But if we put the intermediates and root certificates of the client certificate in the second directory it works.
It seems for an official certifcate client we have to put all certificates of the chain (root CA included) in the server directory to work.
Is haproxy have to possess each intermediate CA of a client certificate in his directory ca-file to validate it ?
Why haproxy cannot find the root CA in the first directory instead of the second ?
When there are two options ca-file in a frontend is there a logic first to match for haproxy ?