Hi. I’m trying to configure SSL backend with letsencrypt certs, but i can’t find the solution. If i’m using certificates signed by my local ca, it works, if i’m using letsencrypt certificates - i have “Server * is DOWN, reason: Layer6 invalid response, info: “SSL handshake failure”, check duration: 4ms”. If i’m using “ssl verify none” with letsencrypt - it works too. Perhaps I am incorrectly specifying ca-file for letsencrypt certificates. i tried to use root cert from letsencrypt site (isrgrootx1.pem), tried to concatenate it with intermediate cert (lets-encrypt-r3.pem) in different orders. Backend’s has traefik as entripoint.
My config:
global
log 127.0.0.1:514 local0
defaults
log global
mode tcp
retries 2
timeout client 30m
timeout connect 4s
timeout server 30m
timeout check 5s
listen http
mode http
bind *:80
http-request redirect scheme https unless { ssl_fc }
listen https
mode http
option httplog
bind *:443 ssl crt /etc/ssl/certs/cert.pem
acl backend1 hdr(host) -i backend1.example.com
use_backend backend1 if backend1
acl backend2 hdr(host) -i backend2.example.com
use_backend backend2 if backend2
backend backend1
mode http
option httpchk
http-check connect ssl
http-check send meth GET uri /health hdr Host backend1.example.com
http-check expect string good
balance leastconn
server s1 backend1.s1.example.com:443 check ssl ca-file /etc/ssl/certs/ca-cert.pem
server s2 backend1.s2.example.com:443 check ssl ca-file /etc/ssl/certs/ca-cert.pem
server s3 backend1.s3.example.com:443 check ssl ca-file /etc/ssl/certs/ca-cert.pem
backend backend2
mode http
option httpchk
http-check connect ssl
http-check send meth GET uri /health hdr Host backend2.example.com
http-check expect string good
balance leastconn
server s12 backend2.s1.example.com:443 check ssl ca-file /etc/ssl/certs/ca-cert.pem
server s22 backend2.s2.example.com:443 check ssl ca-file /etc/ssl/certs/ca-cert.pem
server s32 backend2.s3.example.com:443 check ssl ca-file /etc/ssl/certs/ca-cert.pem