4. Haproxy with ssl offloading and acme fine, clientcerts from own CA ignored

Haproxy with ssl offloading and acme fine, clientcerts from own CA ignored

  • O

    Hi,
    I configured HAProxy for SSL Offloading with Let's Encrypt certificates for multiple domains on one frontend IP. this works well with this Frontend acl and action:

    • **ACL:**acl_www.mydomain.net - Expression Host matches:, value: www.mydomain.net

    • **Action:**use Backend - condition acl names acl_www.mydomain.net, backend: BEmydomain

    Now, I'd like to include SSL Client certificate verification for this one backend www.mydomain.net by:

    • created a CA with CN myCA on PFSense, created the CRL myCRL for this CA and created client certificates from newly generated CA.

    • in haproxy I configured for the Frontend SSL offloading server the SSL Offloading - client certificates part

      • checked allow clients without a certificate to connect (only one Backend should be checked)

      • Table Certificate authorities: fresh generated CA included

      • Table Client verification CRL: fresh generated CRL myCRL of fresh generated CA myCA included

    • Frontend ACLs added:

      • acl_ssl_c_required - Expression SSL Client issued by CA common-name, value: myCA

      • acl_ssl_c_expired - Expression SSL Client certificate verify error result, value: 10

      • acl_www.mydomain.net - Expression Host matches:, value: www.mydomain.net

    • Frontend Action table added:

      • use Backend - condition acl names acl_www.mydomain.net acl_ssl_c_required !acl_ssl_c_expired , value: myCA

      • acl_ssl_c_expired - Expression SSL Client certificate verify error result, value: 10

      haproxy log reports always:
      Dec 14 10:32:54 haproxy haproxy[54835]: {myClientIP}:32019 [14/Dec/2017:10:32:54.394] FE_ssl_offload/{pubicIP}:443: SSL handshake failure

      in my /var/etc/haproxy/haproxy.cfg the frontend server starts with:

      
frontend FE_ssl_offload
	bind			{publicIP}:443 name {publicIP}:443 ssl no-sslv3 no-tlsv10 crt /var/etc/haproxy/FE_ssl_offload.pem crt /var/etc/haproxy/FE_ssl_offload ca-file /var/etc/haproxy/clientca_FE_ssl_offload.pem verify optional crl-file /var/etc/haproxy/clientcrl_FE_ssl_offload.pemĀ 

      I'm stucking in this since several days. can you enlight me?

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy