Haproxy with SSL offloading error

cjbujold

Trying to have a SSL based web site be accesble via HAProxy.  The issue I'm having is I create a offloading profile based on HAProxy example and when I try to access the web site I keep getting the following error:

SSL peer was unable to negotiate an acceptable set of security parameters. Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT

I'm using a let's encrypt certificate.  Does it make a difference if the back end uses HTTP or HTTPS?

Any Help would be appreciated.

Thanks

cjb

PiBa

Can you post the haproxy.cfg from the bottom of settings tab?
And what frontend are you trying to connect to (if you have multiple)? With what domain or other options if applicable?

cjbujold

Here is are the sections of the config file relating to the backend called SecureNAS4 and web site famille.accra.ca

Thanks for the help

cjb

---

Automaticaly generated, dont edit manually.

Generated on: 2017-08-21 15:25

global
maxconn 10000
log /var/run/log local0 alert
stats socket /tmp/haproxy.socket level admin
uid 80
gid 80
nbproc 1
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 4096
log-send-hostname HaproxyMasterNode
server-state-file /tmp/haproxy_server_state
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM

listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats refresh 10
stats admin if TRUE
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000

frontend Secure-offloading-3
bind 127.0.0.1:1443 name 127.0.0.1:1443 ssl  crt /var/etc/haproxy/Secure-offloading-3.pem crt /var/etc/haproxy/Secure-offloading-3 ca-file /var/etc/haproxy/clientca_Secure-offloading-3.pem verify required 
bind /tmp/haproxy_chroot/Secure-offloading-3.socket name unixsocket uid 80 accept-proxy ssl  crt /var/etc/haproxy/Secure-offloading-3.pem crt /var/etc/haproxy/Secure-offloading-3 ca-file /var/etc/haproxy/clientca_Secure-offloading-3.pem verify required
mode http
log global
option http-keep-alive
timeout client 30000
acl filoptoreg hdr(host) -i reg.filopto.com
acl remotehelp hdr(host) -i remotehelp.accra.ca
acl familleNas hdr(host) -i famille.accra.ca
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^accra.ca(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^famille.accra.ca(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^ftpweb.accra.ca(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^remotehelp.accra.ca(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^secure.accra.ca(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^filopto.com(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^reg.filopto.com(:([0-9]){1,5})?$
acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^www.filopto.com(:([0-9]){1,5})?$
use_backend WebServer214_http_ipvANY  if  filoptoreg aclcrt_Secure-offloading-3
use_backend RemoteHelp25_http_ipvANY  if  remotehelp aclcrt_Secure-offloading-3
use_backend SecureNAS4_http_ipvANY  if  familleNas aclcrt_Secure-offloading-3
use_backend WEBServer14_http_ipvANY  if  aclcrt_Secure-offloading-3

backend SecureNAS4_http_ipvANY
mode http
log global

use mailers

level  alert

timeout connect 30000
timeout server 30000
retries 3
server SecureNas4 192.168.20.4:6245 check inter 1000

PiBa

Seeing you have "ca-file ..3.pem verify required" it looks like you require client certificates to be used / loaded in the browser. Is this something you indeed intend to require, and have created and loaded appropriate client certificates for?

cjbujold

Thanks,  will try it without that setting and see if it works.

cjb

cjbujold

Thanks that worked.

cjb