Client cert validation with HAProxy

  • I have a functioning reverse proxy configured with HAProxy and Letsencrypt certs via the ACME package.  My configuration involves 2 HTTP backends pointing to internally hosted web services (emby & subsonic).  This is tied to a frontend listening on port 443 with SSL Offloading and ACL to match the host subdomain the appropriate backend.  I also have a separate backend and frontend for SSL redirect.  My haproxy.cfg is attached.

    I'm able to hit and and access my hosted services authenticated with my Letsencrypt cert without any issue.  Where I'm running into trouble is configuring certificate validation with HAproxy to restrict access to clients that don't have the cert installed locally.

    I exported the p12 for the Letsencrypt cert from the pfSense cert manager and installed it on my Windows10 machine under the Local Machine\Personal cert store.  Under my HAProxy HTTPS frontend, I selected the Letsencrypt CA under "Client verification CA certificates".  After installing the cert+key locally and selecting the CA for cert validation, I'm not able to hit either of my subdomains.  Chrome is returning a response of "ERR_BAD_SSL_CLIENT_AUTH_CERT"

    Unfortunately I can't find any usable log data for HAProxy to tell me where the blockage is, and documentation for client cert validation through HAProxy is very sparse.  Could there be additional rules I need to add in the ACL to validate the cert? Do I have to use a different cert for client validation than the Letsencrypt cert?  The cert I installed on Windows10 is the same cert configured in the frontend under "SSL Offloading"? Any thoughts or recommendations would be greatly appreciated.