Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Haproxy with ssl offloading and acme fine, clientcerts from own CA ignored

    Cache/Proxy
    1
    1
    458
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      oki last edited by

      Hi,
      I configured HAProxy for SSL Offloading with Let's Encrypt certificates for multiple domains on one frontend IP. this works well with this Frontend acl and action:

      • **ACL:**acl_www.mydomain.net - Expression Host matches:, value: www.mydomain.net

      • **Action:**use Backend - condition acl names acl_www.mydomain.net, backend: BEmydomain

      Now, I'd like to include SSL Client certificate verification for this one backend www.mydomain.net by:

      • created a CA with CN myCA on PFSense, created the CRL myCRL for this CA and created client certificates from newly generated CA.

      • in haproxy I configured for the Frontend SSL offloading server the SSL Offloading - client certificates part

        • checked allow clients without a certificate to connect (only one Backend should be checked)

        • Table Certificate authorities: fresh generated CA included

        • Table Client verification CRL: fresh generated CRL myCRL of fresh generated CA myCA included

      • Frontend ACLs added:

        • acl_ssl_c_required - Expression SSL Client issued by CA common-name, value: myCA

        • acl_ssl_c_expired - Expression SSL Client certificate verify error result, value: 10

        • acl_www.mydomain.net - Expression Host matches:, value: www.mydomain.net

      • Frontend Action table added:

        • use Backend - condition acl names acl_www.mydomain.net acl_ssl_c_required !acl_ssl_c_expired , value: myCA

        • acl_ssl_c_expired - Expression SSL Client certificate verify error result, value: 10

        haproxy log reports always:
        Dec 14 10:32:54 haproxy haproxy[54835]: {myClientIP}:32019 [14/Dec/2017:10:32:54.394] FE_ssl_offload/{pubicIP}:443: SSL handshake failure

        in my /var/etc/haproxy/haproxy.cfg the frontend server starts with:

        
frontend FE_ssl_offload
	bind			{publicIP}:443 name {publicIP}:443 ssl no-sslv3 no-tlsv10 crt /var/etc/haproxy/FE_ssl_offload.pem crt /var/etc/haproxy/FE_ssl_offload ca-file /var/etc/haproxy/clientca_FE_ssl_offload.pem verify optional crl-file /var/etc/haproxy/clientcrl_FE_ssl_offload.pem 

        I'm stucking in this since several days. can you enlight me?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post

      Products

      • Platform Overview
      • TNSR
      • pfSense
      • Appliances

      Services

      • Training
      • Professional Services

      Support

      • Subscription Plans
      • Contact Support
      • Product Lifecycle
      • Documentation

      News

      • Media Coverage
      • Press
      • Events

      Resources

      • Blog
      • FAQ
      • Find a Partner
      • Resource Library
      • Security Information

      Company

      • About Us
      • Careers
      • Partners
      • Contact Us
      • Legal
      Our Mission

      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

      Subscribe to our Newsletter

      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

      © 2021 Rubicon Communications, LLC | Privacy Policy