HAProxy warning after 23.01 upgrade: ca-file: 0 CA were loaded from '@system-ca'

safe

@nightlyshark said in HAProxy warning after 23.01 upgrade: ca-file: 0 CA were loaded from '@system-ca':

your CA and Server certs where they should

It looks like that. It is identical to how it was before the upgrade to 23.01. and our other PFs, running older version.

In CA (all valid):
Acmecert: O=Let's Encrypt, CN=R3, C=US
Acmecert: O=Internet Security Research Group, CN=ISRG Root X1, C=US
Our own CA (Self generated)

In certs (all valid):
webConfigurator default
example.com (our wild card cert that match the frontend from let's Encrypt.)

Tried to switch to "webconfigurator default" cert + save. Then back to real cert. But same warning as before.

The setup is very basic at the moment, and has not been set in production yet. I got the same problem earlier after a test upgrade on another system, that I reverted back. After reverting back, warnings were gone.

Thanks

sparklyballs

i have the same message when saving settings in haproxy.
this appears in the log....

using the haproxy-devel package here.

haproxy: check error output: [NOTICE] (45310) : haproxy version is 2.6.6-274d1a4 [NOTICE] (45310) : path to executable is /usr/local/sbin/haproxy [WARNING] (45310) : config : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] (45310) : config : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] (45310) : config : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] (45310) : config : ca-file: 0 CA were loaded from '@system-ca' Warnings were found. Configuration file is valid

NightlyShark

@sparklyballs , @safe , then just doing what I can, bumping this up. Sorry, beyond me.

NightlyShark

@safe Just a last thought, check the HAProxy-devel developer notes. Did they maybe deprecate a cert type (eg, 1024 bit)? If yes, is there a work-around?

safe

@nightlyshark Thanks for the suggestions, but I didn't find anything that looks related. The cert is also 2048 bits, just generated via the Acme package. I get the warning even if I disable the only frontend that is configured.

NightlyShark

@safe That must be it, then. Do you have the ACME cert only, or the full certificate chain configured?

NightlyShark

@safe

safe

@nightlyshark

Looks like everything is there.

NightlyShark

@safe @safe Is your full error like what ... hmmm... @sparklyballs ... posted or just the @system-ca thing?

safe

@nightlyshark
This is what I get after each reload. It doesn't look like anything is affected, but I have never got notices or warnings here in earlier versions when config is correct.

NightlyShark

@safe Perhaps write here, seems it is not the first time this appeared.

safe

@nightlyshark Saw this one was closed, i'll try to create a new issue. As suggested in the issue, putting

httpclient.ssl.verify none

in global, removes my error.

Thanks for all the help.

sparklyballs

@safe i get the exact same message when i try to save settings in haproxy
the message i posted was an excerpt from the system logs.

safe

@sparklyballs I'll see if I can post an issue tomorrow. The notices and warnings are gone with the line above in global.

NightlyShark

@safe Good luck!