Haproxy Reverse proxy to old machine with old cipher

NightlyShark

@braunerroei Create new SSL certificate and key with the recommended settings (RSA 4096, SHA 385). Many guides exist for that kind of thing. If you need a public cert and have a domain name of your own, install and try the ACME package.

braunerroei

Hello

Thank you for the reply.

I do have a domain and a valid certificate, created by ACME package (Let's Encrypt).

As I said, it was working with v 2.7.0 and not working anymore with 2.7.2.

-Roei

NightlyShark

@braunerroei

NightlyShark

@braunerroei New cert:

johnpoz

@braunerroei so your doing

internet ---> ha proxy on pfsense (SSL cert X) ----> your device (ssl cert Y) ?

And ha proxy is giving you the warning about cert Y?

I just let ha proxy do ssl offload, and don't run certs on my destination service...

braunerroei

@NightlyShark
Thank you NightlyShark, but setting are already like you suggested.

I get "503 Service Unavailable - No server is available to handle this request."

braunerroei

@braunerroei
Thank you "johnpoz".

This is just the way it is, but no working.
As I said before, It was working with 2.7.0, that means, the configuration is good.

-Roei

johnpoz

@braunerroei so which is - you get a 503 via haproxy - and then this error if you try to directly access the machine without going through ha proxy?

ERR_SSL_VERSION_OR_CIPHER_MISMATCH"

braunerroei

@johnpoz
Yep...

johnpoz

@braunerroei Well if you are directly connecting to the machine, and not going through ha proxy - how is it a pfsense thing?

In your browser can't you view the cert that was presented.. normally with such errors there is advanced button, view cert, etc.

And if there is some error that even your browser is complaining about - I would expect haproxy to have same sort of issue with the cert.

NightlyShark

@johnpoz Hi again! Could it be something about the upgrade to openssl 3 again?

braunerroei

@johnpoz
Hello:
via HAProxy (fax.mydomain.com)- "503 Service Unavailable - No server is available to handle this request"

Direct (x.x.x.x) - "ERR_SSL_VERSION_OR_CIPHER_MISMATCH"

-Roei

johnpoz

@braunerroei said in Haproxy Reverse proxy to old machine with old cipher:

Direct (x.x.x.x) - "ERR_SSL_VERSION_OR_CIPHER_MISMATCH"

Which has ZERO to do with pfsense - ZERO.. You don't go through pfsense if your directly accessing the machine, so no it wouldn't have anything to do with pfsense updating to openssl..

But yeah if you have something going on with it, then makes sense that haproxy would also complain. Fix it so your direct machine can access it.. And your haproxy issue most likely will be fixed as well.

braunerroei

@NightlyShark said in Haproxy Reverse proxy to old machine with old cipher:

openssl 3

I guess it is related to openssl 3.

-Roei

johnpoz

@braunerroei said in Haproxy Reverse proxy to old machine with old cipher:

I guess it is related to openssl 3.

Not on pfsense it isn't - because when you access it direct and your seeing this error.. Pfsense isn't involved at all.. Maybe if you updated openssl on this device that is hosting your service?

braunerroei

@johnpoz

I know, that direct access has nothing to do with pfSense.

I just sent the error code, in order to understand the issue, whilr direct access.

The device is multitech fax finder FF130, I don't think I can update the openssl.

-Roei

johnpoz

@braunerroei if direct access isn't working why would you think it should work through haproxy?

Like saying my car wont start when I sit in and turn the key.. But there is something wrong with my remote start because that isn't working ;)

NightlyShark

@braunerroei Wait, you were not performing SSL offloading? ... You had HAProxy in TCP mode? ... Then ... the cert you configure for HAProxy via ACME does nothing... Like it doesn't exist

NightlyShark

@johnpoz Still won't let me upvote you further... Damn rules...

NightlyShark

@braunerroei Can you disable SSL on the machine and put it behind HAProxy in SSL offloading mode?