Haproxy with ssl offloading and acme fine, clientcerts from own CA ignored



  • Hi,
    I configured HAProxy for SSL Offloading with Let's Encrypt certificates for multiple domains on one frontend IP. this works well with this Frontend acl and action:

    • **ACL:**acl_www.mydomain.net - Expression Host matches:, value: www.mydomain.net

    • **Action:**use Backend - condition acl names acl_www.mydomain.net, backend: BEmydomain

    Now, I'd like to include SSL Client certificate verification for this one backend www.mydomain.net by:

    • created a CA with CN myCA on PFSense, created the CRL myCRL for this CA and created client certificates from newly generated CA.

    • in haproxy I configured for the Frontend SSL offloading server the SSL Offloading - client certificates part

      • checked allow clients without a certificate to connect (only one Backend should be checked)

      • Table Certificate authorities: fresh generated CA included

      • Table Client verification CRL: fresh generated CRL myCRL of fresh generated CA myCA included

    • Frontend ACLs added:

      • acl_ssl_c_required - Expression SSL Client issued by CA common-name, value: myCA

      • acl_ssl_c_expired - Expression SSL Client certificate verify error result, value: 10

      • acl_www.mydomain.net - Expression Host matches:, value: www.mydomain.net

    • Frontend Action table added:

      • use Backend - condition acl names acl_www.mydomain.net acl_ssl_c_required !acl_ssl_c_expired , value: myCA

      • acl_ssl_c_expired - Expression SSL Client certificate verify error result, value: 10

      haproxy log reports always:
      Dec 14 10:32:54 haproxy haproxy[54835]: {myClientIP}:32019 [14/Dec/2017:10:32:54.394] FE_ssl_offload/{pubicIP}:443: SSL handshake failure

      in my /var/etc/haproxy/haproxy.cfg the frontend server starts with:

      
      frontend FE_ssl_offload
      	bind			{publicIP}:443 name {publicIP}:443 ssl no-sslv3 no-tlsv10 crt /var/etc/haproxy/FE_ssl_offload.pem crt /var/etc/haproxy/FE_ssl_offload ca-file /var/etc/haproxy/clientca_FE_ssl_offload.pem verify optional crl-file /var/etc/haproxy/clientcrl_FE_ssl_offload.pemĀ  
      
      

      I'm stucking in this since several days. can you enlight me?


Log in to reply