Update 2.4.3 to 2.4.4 HAProxy Error code: SSL_ERROR_RX_RECORD_TOO_LONG

WispAwayIS

Re: Problem with new update to HaProxy
My setup is a little different than @cjbujold but essentially the same outcome.

I can confirm this is an issue with the way the haproxy package updates and translates the config from haproxy-1.7.10 to haproxy17-1.7.11_1.

In haproxy-1.7.10, my ssl offload frontends have only one backend:

2.4.3-Services_HAProxy_Frontend_-edge.wispaway.net-_2019-10-31_23.42.05.jpg
Services_HAProxy_Backend_Edit_-edge.wispaway.net-_2019-10-31_22.45.04.jpg
Above you can see that SSL is set to 'yes' in my working 1.7.10 setup but below I only see 'check-ssl' in the rendered config.

backend WAN_HTTPS_tcp_ipvANY
	mode			tcp
	log			global
	balance			roundrobin
	timeout connect		30000
	timeout server		7200000
	retries			3
	server			WAN_HTTPS 127.0.0.1:2043 check-ssl  verify none resolvers globalresolvers send-proxy

After updating to haproxy17-1.7.11_1, I suddenly have 2 different backends and a broken config throwing the Error code: SSL_ERROR_RX_RECORD_TOO_LONG that brought me here:

2.4.4-Services_HAProxy_Frontend_-edge.wispaway.net-_2019-10-31_23.30.45.jpg

After reading the linked post and fixing my issue, I went back to see what happened and found that when updating the config the Encrypt(SSL) flag gets set on the backend of the same name, not the new shared backend that's been magically created.

It's right there in the rendered config:

backend WAN_HTTPS_ssl_ipvANY
	mode			tcp
	id			122
	log			global
	timeout connect		30000
	timeout server		7200000
	retries			3
	server			WAN-HTTPS 127.0.0.1:2043 id 123 check-ssl  verify none resolvers globalresolvers send-proxy 

backend WAN_HTTPS_ipvANY
	mode			tcp
	id			121
	log			global
	timeout connect		30000
	timeout server		7200000
	retries			3
	server			WAN-HTTPS 127.0.0.1:2043 id 140 ssl  verify none resolvers globalresolvers send-proxy

Moving the 'ssl' flag to the magic backend fixes the issue:

backend WAN_HTTPS_ssl_ipvANY
	mode			tcp
	id			118
	log			global
	balance			roundrobin
	timeout connect		30000
	timeout server		7200000
	retries			3
	server			WAN_HTTPS 127.0.0.1:2043 id 119 ssl check-ssl  verify none resolvers globalresolvers send-proxy 

backend WAN_HTTPS_ipvANY
	mode			tcp
	id			117
	log			global
	balance			roundrobin
	timeout connect		30000
	timeout server		7200000
	retries			3
	server			WAN_HTTPS 127.0.0.1:2043 id 100  resolvers globalresolvers send-proxy

Hope this helps somebody fix it quick. Users and Devs alike.

Also Charles

PiBa

@WispAwayIS
Hi you can likely resolve the issue by configuring the two separated ssl checkboxes on the backend server configuration properly. Your screenshot above shows an old package version with only 1 ssl checkbox.

As for the configuration upgrade in the pfSense package, yes i'm sorry there is a problem in some cases with it. But the package with 2 checkboxes has been around for quite a while now and i don't think i should try and fix the old upgrade code. As it seemed at the time there was a chance it would do the wrong thing either way.. i tried to upgrade it seamlessly but obviously there was a mistake in the 'config upgrade code' somewhere. But now it no-longer needs to 'auto-magically' determine if the backend should or shouldn't use ssl encryption for traffic, for checks or both.. Also i think most users have already upgraded their haproxy package quite a while.. but maybe i'm wrong there..

dragoangel

Forget about HAproxy "stable" - it like dinosaur, use only devel version which is "stable and old too but not dinosaur". I hope with pfSense 2.5 it will update to 1.9 or 2.0