HAProxy as internal reverse proxy -- ssl certifcate not working

swemattias

I have been struggling with setting up HAProxt as an internal reverse proxy. Following Lawrence System

First thing I wanted to do was to set a DNS name for my Proxmox server, it does use a self-made certificate.
I have made all the steps in the Lawrence YT:
certificate
frontend
backend

And it is not working, I get an error saying that it fails to connect, no error code.

If I use dig for the DNS name I get the correct answer:

;; ANSWER SECTION:
proxmox.internal.internet.          3600    IN      A       10.1.1.80

It is when I run openssl I do see strange things:

openssl s_client -servername proxmox.internal.internet -host 10.1.1.1 -port 443 < /dev/null
CONNECTED(00000003)
40E723DCD77F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 315 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

What have I missed, what simple mistake am I making? I have straed at this for day snow so I have gone blind. :)

viragomann

@swemattias
You did some strange configuration steps without mentioning.

Did your backend server really install request the Let's Encrypt cert, you stated in a connecting client?
If not remove the cert and the CA.

And on the other hand, I guess, you're missing the certificate in the frontend settings.
Please post the whole frontend settings, so that we can verify it.
This is more relevant to the error, you got, than backend settings.

swemattias

@viragomann Thank you I will try that,
Here is the Frontend that you wanted.

https://ibb.co/9WVN0p3
https://ibb.co/Jj1ySsx
https://ibb.co/k54Tqsk

So I did remove the CN certificate added SSL Offloading to the frontend and added the cert under ssl offloading.
That made radarr work, still not Proxmox.

viragomann

@swemattias
What exactly means "does not work" in this context?

Did you remove the CA from the Proxmox backend?

Is the backend shown up as online on the stats page?

swemattias

@viragomann Now it just spins and in the end I get an Cloudflare 522. That is a fall forward I would say. :)
That is only for proxmox I should say. Not the other internal services.
They have the same result from running the openssl cli.

Proxmox has it self-signed certificate can it be that who messes it up?

viragomann

@swemattias
So Cloudflare is involved in the access to your server? How?
Is it the DNS resolution? Check if the host name is resolves correctly.

Proxmox has it self-signed certificate can it be that who messes it up?

If you use this on Proxmox itself and have disable SSL check in the backen, then no.
If you use a self-signed certificate in the frontend and use Cloudflare to access it, then most probably yes.

swemattias

@viragomann So yes Cloudflare is resolving the dns-quireis just fine.
That is why I didn't mention it.

In Proxmox there is 2 root pems which I cannot remove.

I tried to add another service with a self-signed cert and that fails too.
So there is more common issue than specific proxmox I think.

viragomann

@swemattias
The error above doesn't come from HAproxy, rather from Cloudflare. So I don't think, that the hostname resolves properly to your IP.
Seems you're using the Cloudflare proxy service.