I’m trying to use the pgsql-check for checking my postgres node backends. They provide SSL endpoints only. My configuration looks like this:
global
# Default SSL material locations
ca-base /usr/local/etc/haproxy/ca
crt-base /usr/local/etc/haproxy/cert
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!ECDHE-ECDSA-DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:!DES-CBC3-SHA:!DSS
ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!ECDHE-ECDSA-DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:!DES-CBC3-SHA:!DSS
ssl-server-verify none
tune.ssl.default-dh-param 2048
tune.h2.initial-window-size 1048576 # https://www.haproxy.com/documentation/hapee/1-8r1/traffic-management/enable-http2-protocol/
defaults
log global
mode http
option httpchk GET /
timeout connect 5000
timeout client 30000
timeout server 30000
default-server init-addr libc,none
listen postgres
bind *:5432
balance roundrobin
option pgsql-check user myuser
server db_1 qa-db-1:5432 check inter 10s fastinter 2s downinter 60s fall 3 rise 10 ssl verify required ca-file my-ca.crt
server db_2 qa-db-2:5432 check inter 10s fastinter 2s downinter 60s fall 3 rise 10 ssl verify required ca-file my-ca.crt backup
The checks fail with the following log output:
[NOTICE] (8) : New worker #1 (10) forked
[WARNING] (10) : Server postgres/db_1 is DOWN, reason: Layer6 invalid response, info: "SSL handshake failure", check duration: 6ms. 0 active and 1 backup servers left. Running on backup. 0 sessions active, 0 requeued, 0 remaining in queue.
[WARNING] (10) : Backup Server postgres/db_2 is DOWN, reason: Layer6 invalid response, info: "SSL handshake failure", check duration: 11ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
[NOTICE] (10) : haproxy version is 2.4.1-1ce7d49
[ALERT] (10) : proxy 'postgres' has no server available!
Checking the postgres log shows:
2021-08-02 18:54:10.987 CEST [14096] [unknown]@[unknown] LOG: could not accept SSL connection: no suitable signature algorithm
2021-08-02 18:54:10.987 CEST [14096] [unknown]@[unknown] DEBUG: SSL connection from "(anonymous)"
2021-08-02 18:54:10.987 CEST [14096] [unknown]@[unknown] DEBUG: shmem_exit(0): 0 before_shmem_exit callbacks to make
2021-08-02 18:54:10.987 CEST [14096] [unknown]@[unknown] DEBUG: shmem_exit(0): 0 on_shmem_exit callbacks to make
2021-08-02 18:54:10.987 CEST [14096] [unknown]@[unknown] DEBUG: proc_exit(0): 1 callbacks to make
2021-08-02 18:54:10.987 CEST [14096] [unknown]@[unknown] DEBUG: exit(0)
2021-08-02 18:54:10.987 CEST [14096] [unknown]@[unknown] DEBUG: shmem_exit(-1): 0 before_shmem_exit callbacks to make
2021-08-02 18:54:10.987 CEST [14096] [unknown]@[unknown] DEBUG: shmem_exit(-1): 0 on_shmem_exit callbacks to make
2021-08-02 18:54:10.987 CEST [14096] [unknown]@[unknown] DEBUG: proc_exit(-1): 0 callbacks to make
Manually executing the ssl handshake works fine:
# echo "" | openssl s_client -starttls postgres -CAfile /etc/haproxy/ca/my-ca.crt -connect 10.0.101.6:5432 -showcerts
CONNECTED(00000003)
Can't use SSL_get_servername
[…]
verify return:1
---
Certificate chain
[…]
---
No client certificate CA names sent
Peer signature type: Ed25519
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1042 bytes and written 687 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 253 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE
Am I doing something wrong here or could anyone give me a hint how to troubleshoot this, please? HAProxy version that I’m using is 2.4.1-1ce7d49
.