Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [haproxy-devel] ssl cert selection in frontends

    Scheduled Pinned Locked Moved pfSense Packages
    7 Posts 2 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dexcs
      last edited by

      I can't select any certificate in the frontend section of haproxy. It says that there are no certificates defined, but there are some…
      However i have upgraded from 2.0 to 2.1 and the certs got created under 2.0? I noticed that certs in 2.1 can be defined as "server" certs. Maybe thats the problem that they can't be selected in haproxy? Because my old certs are not server certs.... By the way, whats the difference?

      Any more information you guys need for this?

      Max

      1 Reply Last reply Reply Quote 0
      • D
        dexcs
        last edited by

        okay, i can confirm that it's an issue with server certificates. Haproxy seems to display only server certs, however i had to import my cert and couldn't mark it as a server cert…

        1 Reply Last reply Reply Quote 0
        • P
          PiBa
          last edited by

          The filter is removed in github source, should be available soon for instalation.. (somehow latest merge takes longer to deploy to pfsense.com/packages/)

          1 Reply Last reply Reply Quote 0
          • D
            dexcs
            last edited by

            ok, i've updated haproxy to the latest version and here's another bug.

            If i use a internal created cert all works as expected but if i create a certificate with a certificate sining request haproxy could not load the cert. The problem is that the cert looks like this:

            
            -----BEGIN CERTIFICATE-----^M
            MIIFGDCCAwCgAwIBAgIDDQCaMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv^M
            b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ^M
            Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y^M
            dEBjYWNlcnQub3JnMB4XDTEzMDMyMDE2MTIwMFoXDTEzMDkxNjE2MTIwMFowHjEc^M
            MBoGA1UEAxMTZGIuaGV0em5lci5kb3plby5kZTCCASIwDQYJKoZIhvcNAQEBBQAD^M
            ggEPADCCAQoCggEBAL5jKpWX69wWZcPlIgp76JWrA7Ycyb7Pu6KU4Dl4Bqb8Dw4w^M
            dKkwfCrKS58NNwbpCgQSDuUlEPdys6S6ewHwl9k/KdSDoD0PpUFQDx5FPBoP2VJO^M
            MatBPrd/LSqcmR6Kj0JoKQmWpczfQHrSY1hqs/ZLebmgB/tgUQgUGPbIcj3ySB8M^M
            EYfAzHyirgxh3JntrDy4Rb8VjRNYoSs2b3Cbny7b+fdAfo+E/hfPKUBFZv4Cd1cq^M
            CR4Xa70SEoYMsCzrlZXfBvSvxOgzzumLuuaofjslo4zFHUGf3E868oGX1qMCcWss^M
            CCsGAQUFBzABhhdodHRwOi8vb2NzcC5jYWNlcnQub3JnLzAxBgNVHR8EKjAoMCag^M
            JKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tlLmNybDBBBgNVHREEOjA4^M
            ghNkYi5oZXR6bmVyLmRvemVvLmRloCEGCCsGAQUFBwgFoBUME2RiLmhldHpuZXIu^M
            ZG96ZW8uZGUwDQYJKoZIhvcNAQEFBQADggIBAGWRBWhmwwgeSbOowVRgR2DvTJak^M
            2uaBzP1gQCn2K8/O0HnYzCsRTJhlz4JFwiBpx8WRDoE4Z9TPlXH9rFxfpIt+e29F^M
            O20/dYrRO6O+NDIc9/2BklN28ji0Co+0Llf+3oq+shX/6WaO1jzf+bQRAgG4ruqm^M
            wrJ0Ngj0qQjt+pxAJAtJ6EWEAwHR+unJkMXT0T0VzFiS2cU3sgy8c3Npnw2XgDQZ^M
            cwxHFGONrTN9vPGi5n/161ladDbfjiK4sOFiSZ2pdtN2BmjqC5tVnfiMb5WfWrBK^M
            3gvqPJlM9omz+HnsI0ba+87KiAIu0qcSkSs/CZsOTTqdO8T+0bDsVF+s1gC96qOJ^M
            5+V7K5qf5EMrKv8DZmVM10TzmIlvFL8TsMezZhKViB3j2zYDLsKyV+2YLvdtGXSR^M
            R35C/Sxj86CgbDvOkGfeaV9IUT7p5IiPEzATlY1snWtSFNqXTHhfcwwN2vqm0dRS^M
            PTJl+66ka/CrFFQrJdLi7uBh4a/HRTQn6sF0rEx2BkrvLilj+46g1aYzMtG5IAM4^M
            c20fUSH6D7yGO26oTxmxoJulI9a1oM9jACMNA8Qwdzjiwj0Hlm+1Wbh1Ngx/1/J7^M
            GoS9XCJNmVxo/9EGIOCl27GrQUjlAwh+Tzz1XzZqRgXkGvD42RYg5Q65U42ozaLR^M
            /gUAiZ+uzLluFkVR^M
            -----END CERTIFICATE----------BEGIN PRIVATE KEY-----
            MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC+YyqVl+vcFmXD
            5SIKe+iVqwO2HMm+z7uilOA5eAam/A8OMHSpMHwqykufDTcG6QoEEg7lJRD3crOk
            unsB8JfZPynUg6A9D6VBUA8eRTwaD9lSTjGrQT63fy0qnJkeio9CaCkJlqXM30B6
            0mNYarP2S3m5oAf7YFEIFBj2yHI98kgfDBGHwMx8oq4MYdyZ7aw8uEW/FY0TWKEr
            Nm9wm58u2/n3QH6PhP4XzylARWb+AndXKgkeF2u9EhKGDLAs65WV3wb0r8ToM87p
            i7rmqH47JaOMxR1Bn9xPOvKBl9ajAnFrLL0+5a8VtWyzKY1IgGBS9hBwa2xA/pPr
            MIRbDAN1AgMBAAECggEAFQYUXMKS/BHJGRHDaY73RxfEaCbTrGt6F+ECxbXYXjY1
            Hn+eAoBI8bBsh2kVi4bXfQjNh06IbpA0qZtz9v6Jcugwv+vJFdwz9oVpoE7QNsDK
            iiK0DWORUk2vTKFhv8HigpbKrFCt6uGMPC1+YUUT/2Xw/nELV3N9ebwrmwSuqRbk
            1ZZTikrIMPWH9CjfRtfi2iJuAZ5Lz3FSfrFY8lYRYxmWpDDwzFNZ5aFmN3+vSPL4
            iEWwZ/q1mx9rtnhCQqOEGlqkTerwMYzJIt76TmmPnQKBgQDuIycHTLjfKEB3a5Hr
            eAlpSbkTa2oH5y9pVKIgUAiqBBv0qdih9a/Fexao/W+Maqlp9Bk7a20F4SSXCPD/
            Lo0jx3ha52zoxQITI9HA1PDmMvdkwKQny/OsiOYVxhuKhnO9A+cpEiTeWZADfN+B
            JC8T0zhEtVJZOfkNJHpphukiCwKBgQDMqxenN1SFgxy3zVLh2JMj1sIGq/xgXSwv
            dt4UPP+UwbEva0KDwoTIpW9oISY8AMZTF3dY+ltbFEm0c5A7hwMVukNvUDaI4HmC
            UygJkvjwY8OjTVQcFBIyW5AeY8MWf3QWKvyvUXeSKihaUtY+RScAPNvOC7TJJlP/
            IUOhBeBgfwKBgFVDXtD9RmAYQGTBriBZ/Tymec6bMf6cZtxWwinBniiJihzixz7O
            Ad46QRXGkC79baUTEgm1X/av8vLk76zeVQiPfedGXzdEeoax14MsewhhDTUUyHG7
            U4beCUuYf/nsQ/pUMGsDJRI7jRXCmx/Y/cYiZU4sgcyStjpfajjoZgabAoGAR0/5
            /t6NibOkZvqYvW6L3jnvAwob9qugQK2HNcAHQZq3lREnbOdzAsJ57etW+iM+9ya/
            A/a/rB2GjOSTRdqGHaT36ConxkuIqvs0gRl/uarZOOYxv1LTAE7dCWmzSPyBw1OZ
            FbEqG3iq9MXWNn47155c7A8yH8BGFihN+yYkBxsCgYAHdyQXeLsmU0AP/Z6MS3me
            fhMCTeGnR2yuQUK08PwPxranUYw8q4dvLSqEvWHYUNohc4AEFyhkqnUfMWnXYM41
            dEy76jpOC15CbnwvnmcD+g==
            -----END PRIVATE KEY-----
            
            

            (I've deleted a few lines for security reasons..)

            Note the "^M" at the end of every line and the missing new lines….
            The big question is if this is a bug in the cert signing request or haproxy...

            Max

            1 Reply Last reply Reply Quote 0
            • P
              PiBa
              last edited by

              i tried to reproduce this problem with a csr from pfSense and then signing it on my local pc with openssl. but this didn't cause any problems when imported back into pfSense. could you try and make a 'reproduction' with openssl with a self signed CA certificate and use it to sign the request from pfSense?

              if you can get it reproduced this way, i would like to know every command and parameters you used to make the problem appear.

              1 Reply Last reply Reply Quote 0
              • D
                dexcs
                last edited by

                I used cacert.org to generate a certificate. Can we chat again in jabber or irc please?

                1 Reply Last reply Reply Quote 0
                • P
                  PiBa
                  last edited by

                  Hey dexcs, im online on Jabber and IRC for the coming 4 hours.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.