Troubleshooting SSL Handshake Failure (backend)

I have my backend servers configured with a ssl-cert /path/ca.pem as this his how they were set up with our previous load balancer (server-ssl profile on bigip). They are giving a ‘ssl handshake failure’.

What would be some steps to try and resolve this? I took the certificate and key from the old profile and put them into a pem file. In theory this should work, I am unsure of where to start.

I dont know exactly, where your problem is.
Can’t haproxy connect to your backend servers or does your client gets a ssl handshake failure when connecting to haproxy?
Do you use a self-signed cert?
You should be able to use the pem file on frontend. I have the private, public and intermediate cert in the pem file for haproxy.
On backend you can configure haproxy to not verify the ssl cert. In an environment which you know and control this is/should be ok


Hi Markus,

The problem seems to be between HAProxy and the backend. It uses a different pem file to connect to the server for the healthcheck (and of course to send traffic). I took the certificate and key from the old server-ssl profile on our bigip and dumped them into a PEM file (there was no intermediate certificate on the bigip backend, but there is on the front --two different profiles).

So you’re thinking use the same PEM on the frontend and backend? When ssl verify none, I get a ‘L7 Timeout.’

Thanks for the response. I appreciate it.

Also, not a self-signed certificate.

what’s about the domain names?
one more question: you have a pem file on your backend (webserver), let’s say the domain is, you know setup haproxy and want to use the pem file on haproxy. am i right, that you use it on frontend? your clients (browsers, etc) will connect to and are routed to haproxy. then haproxy will connect to your backend webervers?

in this case the name the domain in pem-file and virtual hosts have to be the same. so both haproxy and your backend servers must listen or serve conent with the same domain name (


1 Like