• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

HAProxy as internal reverse proxy -- ssl certifcate not working

Scheduled Pinned Locked Moved DHCP and DNS
8 Posts 2 Posters 341 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    swemattias
    last edited by Dec 12, 2024, 5:47 AM

    I have been struggling with setting up HAProxt as an internal reverse proxy. Following Lawrence System

    First thing I wanted to do was to set a DNS name for my Proxmox server, it does use a self-made certificate.
    I have made all the steps in the Lawrence YT:
    certificate
    frontend
    backend

    And it is not working, I get an error saying that it fails to connect, no error code.

    If I use dig for the DNS name I get the correct answer:

    ;; ANSWER SECTION:
proxmox.internal.internet.          3600    IN      A       10.1.1.80

    It is when I run openssl I do see strange things:

    openssl s_client -servername proxmox.internal.internet -host 10.1.1.1 -port 443 < /dev/null
CONNECTED(00000003)
40E723DCD77F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 315 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

    What have I missed, what simple mistake am I making? I have straed at this for day snow so I have gone blind. :)

    V 1 Reply Last reply Dec 12, 2024, 4:33 PM Reply Quote 0
    • V
      viragomann @swemattias
      last edited by Dec 12, 2024, 4:33 PM

      @swemattias
      You did some strange configuration steps without mentioning.

      Did your backend server really install request the Let's Encrypt cert, you stated in a connecting client?
      If not remove the cert and the CA.

      And on the other hand, I guess, you're missing the certificate in the frontend settings.
      Please post the whole frontend settings, so that we can verify it.
      This is more relevant to the error, you got, than backend settings.

      S 1 Reply Last reply Dec 12, 2024, 5:31 PM Reply Quote 1
      • S
        swemattias @viragomann
        last edited by swemattias Dec 12, 2024, 5:39 PM Dec 12, 2024, 5:31 PM

        @viragomann Thank you I will try that,
        Here is the Frontend that you wanted.

        https://ibb.co/9WVN0p3
        https://ibb.co/Jj1ySsx
        https://ibb.co/k54Tqsk

        So I did remove the CN certificate added SSL Offloading to the frontend and added the cert under ssl offloading.
        That made radarr work, still not Proxmox.

        V 1 Reply Last reply Dec 12, 2024, 5:51 PM Reply Quote 0
        • V
          viragomann @swemattias
          last edited by Dec 12, 2024, 5:51 PM

          @swemattias
          What exactly means "does not work" in this context?

          Did you remove the CA from the Proxmox backend?

          Is the backend shown up as online on the stats page?

          S 1 Reply Last reply Dec 12, 2024, 8:59 PM Reply Quote 0
          • S
            swemattias @viragomann
            last edited by swemattias Dec 12, 2024, 9:09 PM Dec 12, 2024, 8:59 PM

            @viragomann Now it just spins and in the end I get an Cloudflare 522. That is a fall forward I would say. :)
            That is only for proxmox I should say. Not the other internal services.
            They have the same result from running the openssl cli.

            Proxmox has it self-signed certificate can it be that who messes it up?

            V 1 Reply Last reply Dec 12, 2024, 9:59 PM Reply Quote 0
            • V
              viragomann @swemattias
              last edited by Dec 12, 2024, 9:59 PM

              @swemattias
              So Cloudflare is involved in the access to your server? How?
              Is it the DNS resolution? Check if the host name is resolves correctly.

              Proxmox has it self-signed certificate can it be that who messes it up?

              If you use this on Proxmox itself and have disable SSL check in the backen, then no.
              If you use a self-signed certificate in the frontend and use Cloudflare to access it, then most probably yes.

              S 1 Reply Last reply Dec 16, 2024, 6:21 AM Reply Quote 0
              • S
                swemattias @viragomann
                last edited by Dec 16, 2024, 6:21 AM

                @viragomann So yes Cloudflare is resolving the dns-quireis just fine.
                That is why I didn't mention it.

                In Proxmox there is 2 root pems which I cannot remove.

                I tried to add another service with a self-signed cert and that fails too.
                So there is more common issue than specific proxmox I think.

                V 1 Reply Last reply Dec 16, 2024, 12:37 PM Reply Quote 0
                • V
                  viragomann @swemattias
                  last edited by Dec 16, 2024, 12:37 PM

                  @swemattias
                  The error above doesn't come from HAproxy, rather from Cloudflare. So I don't think, that the hostname resolves properly to your IP.
                  Seems you're using the Cloudflare proxy service.

                  1 Reply Last reply Reply Quote 0
                  1 out of 8
                  • First post
                    1/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received