Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Haproxy with ssl offloading and acme fine, clientcerts from own CA ignored

    Cache/Proxy
    1
    1
    681
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      oki
      last edited by

      Hi,
      I configured HAProxy for SSL Offloading with Let's Encrypt certificates for multiple domains on one frontend IP. this works well with this Frontend acl and action:

      • **ACL:**acl_www.mydomain.net - Expression Host matches:, value: www.mydomain.net

      • **Action:**use Backend - condition acl names acl_www.mydomain.net, backend: BEmydomain

      Now, I'd like to include SSL Client certificate verification for this one backend www.mydomain.net by:

      • created a CA with CN myCA on PFSense, created the CRL myCRL for this CA and created client certificates from newly generated CA.

      • in haproxy I configured for the Frontend SSL offloading server the SSL Offloading - client certificates part

        • checked allow clients without a certificate to connect (only one Backend should be checked)

        • Table Certificate authorities: fresh generated CA included

        • Table Client verification CRL: fresh generated CRL myCRL of fresh generated CA myCA included

      • Frontend ACLs added:

        • acl_ssl_c_required - Expression SSL Client issued by CA common-name, value: myCA

        • acl_ssl_c_expired - Expression SSL Client certificate verify error result, value: 10

        • acl_www.mydomain.net - Expression Host matches:, value: www.mydomain.net

      • Frontend Action table added:

        • use Backend - condition acl names acl_www.mydomain.net acl_ssl_c_required !acl_ssl_c_expired , value: myCA

        • acl_ssl_c_expired - Expression SSL Client certificate verify error result, value: 10

        haproxy log reports always:
        Dec 14 10:32:54 haproxy haproxy[54835]: {myClientIP}:32019 [14/Dec/2017:10:32:54.394] FE_ssl_offload/{pubicIP}:443: SSL handshake failure

        in my /var/etc/haproxy/haproxy.cfg the frontend server starts with:

        
frontend FE_ssl_offload
	bind			{publicIP}:443 name {publicIP}:443 ssl no-sslv3 no-tlsv10 crt /var/etc/haproxy/FE_ssl_offload.pem crt /var/etc/haproxy/FE_ssl_offload ca-file /var/etc/haproxy/clientca_FE_ssl_offload.pem verify optional crl-file /var/etc/haproxy/clientcrl_FE_ssl_offload.pemĀ 

        I'm stucking in this since several days. can you enlight me?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.