[haproxy-devel] ssl cert selection in frontends



  • I can't select any certificate in the frontend section of haproxy. It says that there are no certificates defined, but there are some…
    However i have upgraded from 2.0 to 2.1 and the certs got created under 2.0? I noticed that certs in 2.1 can be defined as "server" certs. Maybe thats the problem that they can't be selected in haproxy? Because my old certs are not server certs.... By the way, whats the difference?

    Any more information you guys need for this?

    Max



  • okay, i can confirm that it's an issue with server certificates. Haproxy seems to display only server certs, however i had to import my cert and couldn't mark it as a server cert…



  • The filter is removed in github source, should be available soon for instalation.. (somehow latest merge takes longer to deploy to pfsense.com/packages/)



  • ok, i've updated haproxy to the latest version and here's another bug.

    If i use a internal created cert all works as expected but if i create a certificate with a certificate sining request haproxy could not load the cert. The problem is that the cert looks like this:

    
    -----BEGIN CERTIFICATE-----^M
    MIIFGDCCAwCgAwIBAgIDDQCaMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv^M
    b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ^M
    Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y^M
    dEBjYWNlcnQub3JnMB4XDTEzMDMyMDE2MTIwMFoXDTEzMDkxNjE2MTIwMFowHjEc^M
    MBoGA1UEAxMTZGIuaGV0em5lci5kb3plby5kZTCCASIwDQYJKoZIhvcNAQEBBQAD^M
    ggEPADCCAQoCggEBAL5jKpWX69wWZcPlIgp76JWrA7Ycyb7Pu6KU4Dl4Bqb8Dw4w^M
    dKkwfCrKS58NNwbpCgQSDuUlEPdys6S6ewHwl9k/KdSDoD0PpUFQDx5FPBoP2VJO^M
    MatBPrd/LSqcmR6Kj0JoKQmWpczfQHrSY1hqs/ZLebmgB/tgUQgUGPbIcj3ySB8M^M
    EYfAzHyirgxh3JntrDy4Rb8VjRNYoSs2b3Cbny7b+fdAfo+E/hfPKUBFZv4Cd1cq^M
    CR4Xa70SEoYMsCzrlZXfBvSvxOgzzumLuuaofjslo4zFHUGf3E868oGX1qMCcWss^M
    CCsGAQUFBzABhhdodHRwOi8vb2NzcC5jYWNlcnQub3JnLzAxBgNVHR8EKjAoMCag^M
    JKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tlLmNybDBBBgNVHREEOjA4^M
    ghNkYi5oZXR6bmVyLmRvemVvLmRloCEGCCsGAQUFBwgFoBUME2RiLmhldHpuZXIu^M
    ZG96ZW8uZGUwDQYJKoZIhvcNAQEFBQADggIBAGWRBWhmwwgeSbOowVRgR2DvTJak^M
    2uaBzP1gQCn2K8/O0HnYzCsRTJhlz4JFwiBpx8WRDoE4Z9TPlXH9rFxfpIt+e29F^M
    O20/dYrRO6O+NDIc9/2BklN28ji0Co+0Llf+3oq+shX/6WaO1jzf+bQRAgG4ruqm^M
    wrJ0Ngj0qQjt+pxAJAtJ6EWEAwHR+unJkMXT0T0VzFiS2cU3sgy8c3Npnw2XgDQZ^M
    cwxHFGONrTN9vPGi5n/161ladDbfjiK4sOFiSZ2pdtN2BmjqC5tVnfiMb5WfWrBK^M
    3gvqPJlM9omz+HnsI0ba+87KiAIu0qcSkSs/CZsOTTqdO8T+0bDsVF+s1gC96qOJ^M
    5+V7K5qf5EMrKv8DZmVM10TzmIlvFL8TsMezZhKViB3j2zYDLsKyV+2YLvdtGXSR^M
    R35C/Sxj86CgbDvOkGfeaV9IUT7p5IiPEzATlY1snWtSFNqXTHhfcwwN2vqm0dRS^M
    PTJl+66ka/CrFFQrJdLi7uBh4a/HRTQn6sF0rEx2BkrvLilj+46g1aYzMtG5IAM4^M
    c20fUSH6D7yGO26oTxmxoJulI9a1oM9jACMNA8Qwdzjiwj0Hlm+1Wbh1Ngx/1/J7^M
    GoS9XCJNmVxo/9EGIOCl27GrQUjlAwh+Tzz1XzZqRgXkGvD42RYg5Q65U42ozaLR^M
    /gUAiZ+uzLluFkVR^M
    -----END CERTIFICATE----------BEGIN PRIVATE KEY-----
    MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC+YyqVl+vcFmXD
    5SIKe+iVqwO2HMm+z7uilOA5eAam/A8OMHSpMHwqykufDTcG6QoEEg7lJRD3crOk
    unsB8JfZPynUg6A9D6VBUA8eRTwaD9lSTjGrQT63fy0qnJkeio9CaCkJlqXM30B6
    0mNYarP2S3m5oAf7YFEIFBj2yHI98kgfDBGHwMx8oq4MYdyZ7aw8uEW/FY0TWKEr
    Nm9wm58u2/n3QH6PhP4XzylARWb+AndXKgkeF2u9EhKGDLAs65WV3wb0r8ToM87p
    i7rmqH47JaOMxR1Bn9xPOvKBl9ajAnFrLL0+5a8VtWyzKY1IgGBS9hBwa2xA/pPr
    MIRbDAN1AgMBAAECggEAFQYUXMKS/BHJGRHDaY73RxfEaCbTrGt6F+ECxbXYXjY1
    Hn+eAoBI8bBsh2kVi4bXfQjNh06IbpA0qZtz9v6Jcugwv+vJFdwz9oVpoE7QNsDK
    iiK0DWORUk2vTKFhv8HigpbKrFCt6uGMPC1+YUUT/2Xw/nELV3N9ebwrmwSuqRbk
    1ZZTikrIMPWH9CjfRtfi2iJuAZ5Lz3FSfrFY8lYRYxmWpDDwzFNZ5aFmN3+vSPL4
    iEWwZ/q1mx9rtnhCQqOEGlqkTerwMYzJIt76TmmPnQKBgQDuIycHTLjfKEB3a5Hr
    eAlpSbkTa2oH5y9pVKIgUAiqBBv0qdih9a/Fexao/W+Maqlp9Bk7a20F4SSXCPD/
    Lo0jx3ha52zoxQITI9HA1PDmMvdkwKQny/OsiOYVxhuKhnO9A+cpEiTeWZADfN+B
    JC8T0zhEtVJZOfkNJHpphukiCwKBgQDMqxenN1SFgxy3zVLh2JMj1sIGq/xgXSwv
    dt4UPP+UwbEva0KDwoTIpW9oISY8AMZTF3dY+ltbFEm0c5A7hwMVukNvUDaI4HmC
    UygJkvjwY8OjTVQcFBIyW5AeY8MWf3QWKvyvUXeSKihaUtY+RScAPNvOC7TJJlP/
    IUOhBeBgfwKBgFVDXtD9RmAYQGTBriBZ/Tymec6bMf6cZtxWwinBniiJihzixz7O
    Ad46QRXGkC79baUTEgm1X/av8vLk76zeVQiPfedGXzdEeoax14MsewhhDTUUyHG7
    U4beCUuYf/nsQ/pUMGsDJRI7jRXCmx/Y/cYiZU4sgcyStjpfajjoZgabAoGAR0/5
    /t6NibOkZvqYvW6L3jnvAwob9qugQK2HNcAHQZq3lREnbOdzAsJ57etW+iM+9ya/
    A/a/rB2GjOSTRdqGHaT36ConxkuIqvs0gRl/uarZOOYxv1LTAE7dCWmzSPyBw1OZ
    FbEqG3iq9MXWNn47155c7A8yH8BGFihN+yYkBxsCgYAHdyQXeLsmU0AP/Z6MS3me
    fhMCTeGnR2yuQUK08PwPxranUYw8q4dvLSqEvWHYUNohc4AEFyhkqnUfMWnXYM41
    dEy76jpOC15CbnwvnmcD+g==
    -----END PRIVATE KEY-----
    
    

    (I've deleted a few lines for security reasons..)

    Note the "^M" at the end of every line and the missing new lines….
    The big question is if this is a bug in the cert signing request or haproxy...

    Max



  • i tried to reproduce this problem with a csr from pfSense and then signing it on my local pc with openssl. but this didn't cause any problems when imported back into pfSense. could you try and make a 'reproduction' with openssl with a self signed CA certificate and use it to sign the request from pfSense?

    if you can get it reproduced this way, i would like to know every command and parameters you used to make the problem appear.



  • I used cacert.org to generate a certificate. Can we chat again in jabber or irc please?



  • Hey dexcs, im online on Jabber and IRC for the coming 4 hours.


Locked