SSL handshake failure error:0A000416

Help!
1

Hello!
I’m using Cloudflare’s SSL certificate on my webserver
I have configured HAProxy front section as below:

listen front
mode http
bind *:443 ssl crt /etc/haproxy/certs/

and I’ve put in my certificate concatenated files over the path: /etc/haproxy/certs/
but when I try to use some pages on my website I’m getting this error in the logs:

front/1: SSL handshake failure (error:0A000416:SSL routines::sslv3 alert certificate unknown)

2

A file must contain a single cert (concatenated wwith intermediate certs and private key), however it must not contain multiple certs.

3

The certificate files are concatenated and each file is just contains one certificate.
I’ve concatenated Private key + FullChain key into a file for those which I’ve create with Cloudflare bot, and I’ve concatenated Private key + Public key + CA root key for those which I’ve created on the Cloudflare origin certificate page.
and I’m using the last version of HAProxy

4

The sequence in the file needs to be:

cert + intermediate cert(s) + private key

-----BEGIN CERTIFICATE-----
<actual cert>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate cert>
-----END CERTIFICATE-----
-----BEGIN EC/RSA PRIVATE KEY-----
<private key>
-----END EC/RSA PRIVATE KEY-----
1 Like
5

Now I’m using the format you provided, I have another problem
HAProxy detects the path, but the link is not working, I checked the log files it looks like this:

front~ sub/srv1 0/0/0/0/0 307 137 - - ---- 1/1/0/0/0 0/0 “GET /first_part_of_path/Second_part_of_path HTTP/1.1”

and this is my config:

acl is_sub path_beg /first_part_of_path/
use_backend sub if is_sub

backend sub
mode http
server srv1 127.0.0.1:port

6

The log file confirms that it is routing /first_part_of_path/ to server srv1 of backend sub, exactly as the configuration implies.

I don’t know what link is not working means.

Haproxy doesn’t do any rewriting here. The server will see /first_part_of_path/Second_part_of_path as path.

1 Like
8

Actually this link is for X-UI panel of V2ray family VPN services, this link is for subscription part, it must return the list of the configurations when user hits the Update Subscription button on the client side
but when user do that client returns failure message.