HAProxy warning after 23.01 upgrade: ca-file: 0 CA were loaded from '@system-ca'
-
Until now reloading HAProxy config has never returned any messages when config is ok. However after upgrading to 23.01 and HAProxy 2.6.6, I get this every time I reload the config:
[NOTICE] (59163) : haproxy version is 2.6.6-274d1a4
[NOTICE] (59163) : path to executable is /usr/local/sbin/haproxy
[WARNING] (59163) : config : ca-file: 0 CA were loaded from '@system-ca'Is it supposed to be like this?
Thanks
-
@safe Are all your CA and Server certs where they should be? Do they have the correct names? Choosing another cert in HAProxy and then rechoosing the original changes anything?
-
@nightlyshark said in HAProxy warning after 23.01 upgrade: ca-file: 0 CA were loaded from '@system-ca':
your CA and Server certs where they should
It looks like that. It is identical to how it was before the upgrade to 23.01. and our other PFs, running older version.
In CA (all valid):
Acmecert: O=Let's Encrypt, CN=R3, C=US
Acmecert: O=Internet Security Research Group, CN=ISRG Root X1, C=US
Our own CA (Self generated)In certs (all valid):
webConfigurator default
example.com (our wild card cert that match the frontend from let's Encrypt.)Tried to switch to "webconfigurator default" cert + save. Then back to real cert. But same warning as before.
The setup is very basic at the moment, and has not been set in production yet. I got the same problem earlier after a test upgrade on another system, that I reverted back. After reverting back, warnings were gone.
Thanks
-
i have the same message when saving settings in haproxy.
this appears in the log....using the haproxy-devel package here.
haproxy: check error output: [NOTICE] (45310) : haproxy version is 2.6.6-274d1a4 [NOTICE] (45310) : path to executable is /usr/local/sbin/haproxy [WARNING] (45310) : config : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] (45310) : config : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] (45310) : config : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] (45310) : config : ca-file: 0 CA were loaded from '@system-ca' Warnings were found. Configuration file is valid
-
@sparklyballs , @safe , then just doing what I can, bumping this up. Sorry, beyond me.
-
@safe Just a last thought, check the HAProxy-devel developer notes. Did they maybe deprecate a cert type (eg, 1024 bit)? If yes, is there a work-around?
-
@nightlyshark Thanks for the suggestions, but I didn't find anything that looks related. The cert is also 2048 bits, just generated via the Acme package. I get the warning even if I disable the only frontend that is configured.
-
@safe That must be it, then. Do you have the ACME cert only, or the full certificate chain configured?
-
-
Looks like everything is there.
-
@safe @safe Is your full error like what ... hmmm... @sparklyballs ... posted or just the @system-ca thing?
-
@nightlyshark
This is what I get after each reload. It doesn't look like anything is affected, but I have never got notices or warnings here in earlier versions when config is correct.
-
-
@nightlyshark Saw this one was closed, i'll try to create a new issue. As suggested in the issue, putting
httpclient.ssl.verify nonein global, removes my error.
Thanks for all the help.
-
@safe i get the exact same message when i try to save settings in haproxy
the message i posted was an excerpt from the system logs. -
@sparklyballs I'll see if I can post an issue tomorrow. The notices and warnings are gone with the line above in global.
-
@safe Good luck!
