[haproxy-devel] ssl cert selection in frontends

dexcs

I can't select any certificate in the frontend section of haproxy. It says that there are no certificates defined, but there are some…
However i have upgraded from 2.0 to 2.1 and the certs got created under 2.0? I noticed that certs in 2.1 can be defined as "server" certs. Maybe thats the problem that they can't be selected in haproxy? Because my old certs are not server certs.... By the way, whats the difference?

Any more information you guys need for this?

Max

dexcs

okay, i can confirm that it's an issue with server certificates. Haproxy seems to display only server certs, however i had to import my cert and couldn't mark it as a server cert…

PiBa

The filter is removed in github source, should be available soon for instalation.. (somehow latest merge takes longer to deploy to pfsense.com/packages/)

dexcs

ok, i've updated haproxy to the latest version and here's another bug.

If i use a internal created cert all works as expected but if i create a certificate with a certificate sining request haproxy could not load the cert. The problem is that the cert looks like this:

-----BEGIN CERTIFICATE-----^M
MIIFGDCCAwCgAwIBAgIDDQCaMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv^M
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ^M
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y^M
dEBjYWNlcnQub3JnMB4XDTEzMDMyMDE2MTIwMFoXDTEzMDkxNjE2MTIwMFowHjEc^M
MBoGA1UEAxMTZGIuaGV0em5lci5kb3plby5kZTCCASIwDQYJKoZIhvcNAQEBBQAD^M
ggEPADCCAQoCggEBAL5jKpWX69wWZcPlIgp76JWrA7Ycyb7Pu6KU4Dl4Bqb8Dw4w^M
dKkwfCrKS58NNwbpCgQSDuUlEPdys6S6ewHwl9k/KdSDoD0PpUFQDx5FPBoP2VJO^M
MatBPrd/LSqcmR6Kj0JoKQmWpczfQHrSY1hqs/ZLebmgB/tgUQgUGPbIcj3ySB8M^M
EYfAzHyirgxh3JntrDy4Rb8VjRNYoSs2b3Cbny7b+fdAfo+E/hfPKUBFZv4Cd1cq^M
CR4Xa70SEoYMsCzrlZXfBvSvxOgzzumLuuaofjslo4zFHUGf3E868oGX1qMCcWss^M
CCsGAQUFBzABhhdodHRwOi8vb2NzcC5jYWNlcnQub3JnLzAxBgNVHR8EKjAoMCag^M
JKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tlLmNybDBBBgNVHREEOjA4^M
ghNkYi5oZXR6bmVyLmRvemVvLmRloCEGCCsGAQUFBwgFoBUME2RiLmhldHpuZXIu^M
ZG96ZW8uZGUwDQYJKoZIhvcNAQEFBQADggIBAGWRBWhmwwgeSbOowVRgR2DvTJak^M
2uaBzP1gQCn2K8/O0HnYzCsRTJhlz4JFwiBpx8WRDoE4Z9TPlXH9rFxfpIt+e29F^M
O20/dYrRO6O+NDIc9/2BklN28ji0Co+0Llf+3oq+shX/6WaO1jzf+bQRAgG4ruqm^M
wrJ0Ngj0qQjt+pxAJAtJ6EWEAwHR+unJkMXT0T0VzFiS2cU3sgy8c3Npnw2XgDQZ^M
cwxHFGONrTN9vPGi5n/161ladDbfjiK4sOFiSZ2pdtN2BmjqC5tVnfiMb5WfWrBK^M
3gvqPJlM9omz+HnsI0ba+87KiAIu0qcSkSs/CZsOTTqdO8T+0bDsVF+s1gC96qOJ^M
5+V7K5qf5EMrKv8DZmVM10TzmIlvFL8TsMezZhKViB3j2zYDLsKyV+2YLvdtGXSR^M
R35C/Sxj86CgbDvOkGfeaV9IUT7p5IiPEzATlY1snWtSFNqXTHhfcwwN2vqm0dRS^M
PTJl+66ka/CrFFQrJdLi7uBh4a/HRTQn6sF0rEx2BkrvLilj+46g1aYzMtG5IAM4^M
c20fUSH6D7yGO26oTxmxoJulI9a1oM9jACMNA8Qwdzjiwj0Hlm+1Wbh1Ngx/1/J7^M
GoS9XCJNmVxo/9EGIOCl27GrQUjlAwh+Tzz1XzZqRgXkGvD42RYg5Q65U42ozaLR^M
/gUAiZ+uzLluFkVR^M
-----END CERTIFICATE----------BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC+YyqVl+vcFmXD
5SIKe+iVqwO2HMm+z7uilOA5eAam/A8OMHSpMHwqykufDTcG6QoEEg7lJRD3crOk
unsB8JfZPynUg6A9D6VBUA8eRTwaD9lSTjGrQT63fy0qnJkeio9CaCkJlqXM30B6
0mNYarP2S3m5oAf7YFEIFBj2yHI98kgfDBGHwMx8oq4MYdyZ7aw8uEW/FY0TWKEr
Nm9wm58u2/n3QH6PhP4XzylARWb+AndXKgkeF2u9EhKGDLAs65WV3wb0r8ToM87p
i7rmqH47JaOMxR1Bn9xPOvKBl9ajAnFrLL0+5a8VtWyzKY1IgGBS9hBwa2xA/pPr
MIRbDAN1AgMBAAECggEAFQYUXMKS/BHJGRHDaY73RxfEaCbTrGt6F+ECxbXYXjY1
Hn+eAoBI8bBsh2kVi4bXfQjNh06IbpA0qZtz9v6Jcugwv+vJFdwz9oVpoE7QNsDK
iiK0DWORUk2vTKFhv8HigpbKrFCt6uGMPC1+YUUT/2Xw/nELV3N9ebwrmwSuqRbk
1ZZTikrIMPWH9CjfRtfi2iJuAZ5Lz3FSfrFY8lYRYxmWpDDwzFNZ5aFmN3+vSPL4
iEWwZ/q1mx9rtnhCQqOEGlqkTerwMYzJIt76TmmPnQKBgQDuIycHTLjfKEB3a5Hr
eAlpSbkTa2oH5y9pVKIgUAiqBBv0qdih9a/Fexao/W+Maqlp9Bk7a20F4SSXCPD/
Lo0jx3ha52zoxQITI9HA1PDmMvdkwKQny/OsiOYVxhuKhnO9A+cpEiTeWZADfN+B
JC8T0zhEtVJZOfkNJHpphukiCwKBgQDMqxenN1SFgxy3zVLh2JMj1sIGq/xgXSwv
dt4UPP+UwbEva0KDwoTIpW9oISY8AMZTF3dY+ltbFEm0c5A7hwMVukNvUDaI4HmC
UygJkvjwY8OjTVQcFBIyW5AeY8MWf3QWKvyvUXeSKihaUtY+RScAPNvOC7TJJlP/
IUOhBeBgfwKBgFVDXtD9RmAYQGTBriBZ/Tymec6bMf6cZtxWwinBniiJihzixz7O
Ad46QRXGkC79baUTEgm1X/av8vLk76zeVQiPfedGXzdEeoax14MsewhhDTUUyHG7
U4beCUuYf/nsQ/pUMGsDJRI7jRXCmx/Y/cYiZU4sgcyStjpfajjoZgabAoGAR0/5
/t6NibOkZvqYvW6L3jnvAwob9qugQK2HNcAHQZq3lREnbOdzAsJ57etW+iM+9ya/
A/a/rB2GjOSTRdqGHaT36ConxkuIqvs0gRl/uarZOOYxv1LTAE7dCWmzSPyBw1OZ
FbEqG3iq9MXWNn47155c7A8yH8BGFihN+yYkBxsCgYAHdyQXeLsmU0AP/Z6MS3me
fhMCTeGnR2yuQUK08PwPxranUYw8q4dvLSqEvWHYUNohc4AEFyhkqnUfMWnXYM41
dEy76jpOC15CbnwvnmcD+g==
-----END PRIVATE KEY-----

(I've deleted a few lines for security reasons..)

Note the "^M" at the end of every line and the missing new lines….
The big question is if this is a bug in the cert signing request or haproxy...

Max

PiBa

i tried to reproduce this problem with a csr from pfSense and then signing it on my local pc with openssl. but this didn't cause any problems when imported back into pfSense. could you try and make a 'reproduction' with openssl with a self signed CA certificate and use it to sign the request from pfSense?

if you can get it reproduced this way, i would like to know every command and parameters you used to make the problem appear.

dexcs

I used cacert.org to generate a certificate. Can we chat again in jabber or irc please?

PiBa

Hey dexcs, im online on Jabber and IRC for the coming 4 hours.