SSL client certificate not trusted

I have a rather simple setup where connection fails on the frontend with “SSL client certificate not trusted” and I’m really running out of ideas. I have checked everything multiple times and did not find anything wrong.

Also when using the same certificates on the backend without haproxy involved it works flawlessly. Also when removing “verify required ca-file ca.pem” form the frontend config it works.

Frontend config is quite simple as follows:

frontend testFE
mode tcp
option tcplog
bind *:443 ssl crt /etc/haproxy/ssl/crt/server.pem verify required ca-file /etc/haproxy/ssl/ca/ca.pem
default_backend testBE

Any suggestions how to track this down any further?

Thanks a lot for your suggestions.

I just tried the following options to further track down the cause of the issue:

ca-ignore-err all
verify optional

Nothing changed still getting
“SSL client certificate not trusted”

When adding “crt-ignore-err all” to the config it works, however if I understood this correctly this disables certificate verification altogether. Is this assumption correct?

Maybe anyone has an idea how to get any further from this point.

To answer my own question.

I just found the cause of the problem. The client certificate also had some Netscape certificate attributes included. After removing them the client certificate was considered valid by haproxy. The same certificate works flawlessly when used directly with the servers behind haproxy (tomcat). I have not idea why however this doesn’t matter anyway as Netscape certificate attributes are rarely used nowadays,

Just a wish.

Maybe it would be possible for haproxy to append the openssl error code to the “SSL client certificate not trusted” error message. This would reduce the time to find the root cause of certificate problems from hours to minutes.

THX

I got this error after upgrading from 1.8.7 do 2.0.19. In my case, the problem of “SSL client certificate not trusted” was that one of my client certificate was signed using SHA1. After changing to SHA256 I can login.

Probably due to the same problem, when I was using HaProxy 1.8.7 I had to add to “bind” configuration part crt-ignore-err 4, (error 4: X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE). Now I don’t need this part anymore.

I have Netscape extensions (SSL Client, S/MIME) in client certificates and it is working still fine. Perhaps during removing this part, you changed signing method, and this did job.

SSL error messages definitely could be more precise.

1 Like

Re-signing my client cert with SHA256 did the trick for me too. Thanks so much for the tip :beers: