Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    HAProxy warning after 23.01 upgrade: ca-file: 0 CA were loaded from '@system-ca'

    Cache/Proxy
    3
    17
    512
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      safe last edited by safe

      Until now reloading HAProxy config has never returned any messages when config is ok. However after upgrading to 23.01 and HAProxy 2.6.6, I get this every time I reload the config:

      [NOTICE] (59163) : haproxy version is 2.6.6-274d1a4
      [NOTICE] (59163) : path to executable is /usr/local/sbin/haproxy
      [WARNING] (59163) : config : ca-file: 0 CA were loaded from '@system-ca'

      Is it supposed to be like this?

      Thanks

      NightlyShark 1 Reply Last reply Reply Quote 0
      • NightlyShark
        NightlyShark @safe last edited by

        @safe Are all your CA and Server certs where they should be? Do they have the correct names? Choosing another cert in HAProxy and then rechoosing the original changes anything?

        S 1 Reply Last reply Reply Quote 0
        • S
          safe @NightlyShark last edited by

          @nightlyshark said in HAProxy warning after 23.01 upgrade: ca-file: 0 CA were loaded from '@system-ca':

          your CA and Server certs where they should

          It looks like that. It is identical to how it was before the upgrade to 23.01. and our other PFs, running older version.

          In CA (all valid):
          Acmecert: O=Let's Encrypt, CN=R3, C=US
          Acmecert: O=Internet Security Research Group, CN=ISRG Root X1, C=US
          Our own CA (Self generated)

          In certs (all valid):
          webConfigurator default
          example.com (our wild card cert that match the frontend from let's Encrypt.)

          Tried to switch to "webconfigurator default" cert + save. Then back to real cert. But same warning as before.

          The setup is very basic at the moment, and has not been set in production yet. I got the same problem earlier after a test upgrade on another system, that I reverted back. After reverting back, warnings were gone.

          Thanks

          NightlyShark 1 Reply Last reply Reply Quote 0
          • sparklyballs
            sparklyballs last edited by

            i have the same message when saving settings in haproxy.
            this appears in the log....

            using the haproxy-devel package here.

            haproxy: check error output: [NOTICE] (45310) : haproxy version is 2.6.6-274d1a4 [NOTICE] (45310) : path to executable is /usr/local/sbin/haproxy [WARNING] (45310) : config : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] (45310) : config : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] (45310) : config : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] (45310) : config : ca-file: 0 CA were loaded from '@system-ca' Warnings were found. Configuration file is valid

            NightlyShark 1 Reply Last reply Reply Quote 0
            • NightlyShark
              NightlyShark @sparklyballs last edited by

              @sparklyballs , @safe , then just doing what I can, bumping this up. Sorry, beyond me.

              1 Reply Last reply Reply Quote 0
              • NightlyShark
                NightlyShark @safe last edited by

                @safe Just a last thought, check the HAProxy-devel developer notes. Did they maybe deprecate a cert type (eg, 1024 bit)? If yes, is there a work-around?

                S 1 Reply Last reply Reply Quote 0
                • S
                  safe @NightlyShark last edited by

                  @nightlyshark Thanks for the suggestions, but I didn't find anything that looks related. The cert is also 2048 bits, just generated via the Acme package. I get the warning even if I disable the only frontend that is configured.

                  NightlyShark 2 Replies Last reply Reply Quote 0
                  • NightlyShark
                    NightlyShark @safe last edited by

                    @safe That must be it, then. Do you have the ACME cert only, or the full certificate chain configured?

                    1 Reply Last reply Reply Quote 0
                    • NightlyShark
                      NightlyShark @safe last edited by

                      @safe 54716c31-250b-4629-8103-09403bf9af50-image.png

                      S 1 Reply Last reply Reply Quote 0
                      • S
                        safe @NightlyShark last edited by

                        @nightlyshark
                        snap007829.png

                        Looks like everything is there.

                        1 Reply Last reply Reply Quote 0
                        • NightlyShark
                          NightlyShark last edited by

                          @safe @safe Is your full error like what ... hmmm... @sparklyballs ... posted or just the @system-ca thing?

                          S 1 Reply Last reply Reply Quote 0
                          • S
                            safe @NightlyShark last edited by

                            @nightlyshark
                            This is what I get after each reload. It doesn't look like anything is affected, but I have never got notices or warnings here in earlier versions when config is correct.
                            snap007830.png

                            NightlyShark sparklyballs 2 Replies Last reply Reply Quote 0
                            • NightlyShark
                              NightlyShark @safe last edited by

                              @safe Perhaps write here, seems it is not the first time this appeared.

                              S 1 Reply Last reply Reply Quote 0
                              • S
                                safe @NightlyShark last edited by

                                @nightlyshark Saw this one was closed, i'll try to create a new issue. As suggested in the issue, putting

                                httpclient.ssl.verify none
                                

                                in global, removes my error.

                                Thanks for all the help.

                                1 Reply Last reply Reply Quote 1
                                • sparklyballs
                                  sparklyballs @safe last edited by

                                  @safe i get the exact same message when i try to save settings in haproxy
                                  the message i posted was an excerpt from the system logs.

                                  S 1 Reply Last reply Reply Quote 0
                                  • S
                                    safe @sparklyballs last edited by

                                    @sparklyballs I'll see if I can post an issue tomorrow. The notices and warnings are gone with the line above in global.

                                    NightlyShark 1 Reply Last reply Reply Quote 0
                                    • NightlyShark
                                      NightlyShark @safe last edited by

                                      @safe Good luck!

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post