[Question] - Configuring HAProxy with wildcard certificate.



  • Hi,
    I'm trying to use a wildcard certificate (*.domain.com) on some backends, but I can't make it work.
    I've defined a shared frontend using ssl/https(tcp), port 443 (No SSL Offloading).

    I've created a backend called "ALPHA" for a local server (SSL, port 443). The wildcard certificate (*.domain.com)  is installed in this machine.
    I've created a backend called "BETA" for a local server (SSL, port 443). This server contains a certificate called "beta.domain.com"

    Both Urls are correctly registered on the DNS.

    When I create a new frontend for the server "BETA", I use the option: Server Name Indication TLS extension matches: beta.domain.com, and use the BETA backend.
    I can open a browser window and enter: https://beta.domain.com it works as expected.

    But, when I create a frontend for the alpha server with the following settings: Server Name Indication TLS extension matches: alpha.domain.com and use the ALPHA backend.
    It doesn't work (it gives a timeout)

    I know that I'm probably doing something wrong, but I'm out of ideas.

    Can someone help me please?  :'(

    2.3.3-RELEASE (amd64)
    HAProxy:  pfSense-pkg-haproxy-devel 0.52_5



  • Can you share the haproxy.cfg from bottom of settings tab? Might help telling whats wrong.



  • Hi PiBa,
    I've sent you haproxy.cfg via PM, the QA-DEMO frontend/backend isn't working, using a (*.domain.com certificate), there are 2 more frontends that works (zimbra and as2), they use zimbra.domain.com and as2.domain.com.

    By the way, I've updated the haproxy-devel package to the latest version and now the following message appears every time I add a new fronted/backend and press Apply changes:
    [ALERT] 141/051355 (24139) : sendmsg logger #1 failed: Connection refused (errno=61)

    I'm not interested to fix that error right now (seems that is related to the log facility), I want to know how can I use the wildcard ssl certificate.

    Thanks.



  • I don't see any obvious errors in the configuration.

    On the stats page the backend session counters do count traffic when you attempt to connect?
    And backend shows the server as 'up' on stats page?
    Backend normally responds within 30 seconds?



  • Hi,
    In the stats page the backend is marked as down with the following message:
    Layer6 invalid response: Connection error during SSL handshake (Connection reset by peer).

    It's a Windows 2016 Standard Server, with an IIS server.



  • When you directly access the webserver it presents the certificate properly to the browser?

    I've seen IIS sometimes have trouble depending on how the certificates where added to windows, editing the bindings and pressing OK in the iis-manager might then solve the issue..



  • Yes, If I open the browser and access directly like https://demo.domain.com all is OK.
    But If I try to access via HAProxy the connection is timed out.

    Do you know if there's a fix or a workaround for IIS with wildcard certificates?



  • Been using a wildcard cert for some time on a few iis sites, it should work without special tricks.. But as long as haproxy sees the server as 'down' its not gonna forward incoming connections.

    Perhaps try without healthchecks for testing?

    Does the iis server 'require' sni? on the binding? Does it serve a cert when requested without a 'valid' name? Perhaps add a binding not requiring that.. or disable the requirement completely.?



  • I was trying to test the changes, but after the latest update to the "devel" package I can't restart the HAProxy anymore.
    It shows this message repeated a lot on screen every time I press Apply changes and seems that the service isn't restarted:

    [ALERT] 141/051355 (24139) : sendmsg logger #1 failed: Connection refused (errno=61)

    Do you know how can I fix this? and/or how can I jump to the stable package, I was using the devel package just to use the HAProxy 1.7.

    Thanks!!!



  • To switch packages just uninstall the current haproxy package and then install the desired one..
    As for the logging error on settings tab you can probably remove the configured log path /var/run/log and evade the error..



  • It works now:

    Went to IIS Manager -> Default web site -> Bindings -> Edit Https/443 -> Check Require Server Name Indication -> Hostname (enter the url hostname) and press OK.

    Seems that this is required under special circumstances.

    Thanks for the help!