HAProxy intermediate certificates (unknown issuer, missing chain)



  • We're using pfSense 2.1 & haproxy-devel 1.5-dev19 pkg v 0.5, but this might apply to earlier versions of the pfSense HAProxy package as well.

    We had some trouble getting HAProxy to supply the entire certificate chain. Clients would show the following error message (sample from Firefox 25):

    The certificate is not trusted because no issuer chain was provided.
    (Error code: sec_error_unknown_issuer)

    The intermediate and root CA's are added in the Cert Manager. The certificates are shown in the Certificate drop-down box as:

    name of certificate (CA: GoDaddySecureCA)

    Certificates where the individual certificates in the CA chain are not added in the Cert Manager will not show the CA after the certificate name. Thus the UI is aware of the existence of the chain certificates.

    We managed to trace this down to the way the haproxy.cfg-file is generated (in /usr/local/pkg/haproxy.inc). One possible solution is to add the following code to the function haproxy_writeconf in haproxy.inc (around line 573), so the entire chain is written to the .crt-file:

    			//check ssl info
    			if (strtolower($backend['type']) == "http" && $backend['ssloffload']){
    				//ssl crt ./server.pem ca-file ./ca.crt verify optional crt-ignore-err all crl-file ./ca_crl.pem
    				$ssl_crt=" crt /var/etc/{$backend['name']}.{$backend['port']}.crt";
    				$cert = lookup_cert($backend['ssloffloadcert']);
    				$certcontent = base64_decode($cert['crt'])."\r\n".base64_decode($cert['prv']);
    // begin patch
    				$certchaincontent = ca_chain($cert);
    				if ($certchaincontent != "") {
    					$certcontent .= "\n" . $certchaincontent;
    				}
    				unset($certchaincontent);
    // end patch
    				file_put_contents("/var/etc/{$backend['name']}.{$backend['port']}.crt", $certcontent);
    				unset($certcontent);
    
    			}else{
    				$ssl_crt="";
    				unlink_if_exists("var/etc/{$backend['name']}.{$backend['port']}.crt");
    			}
    
    

    Is there a better way to fix this? Are we missing something obvious in the UI?


  • Rebel Alliance Developer Netgate

    Export both CAs certs, then import them as a new single CA with both PEMs included in the import box.

    –- begin blahblah ---
    blahblah
    --- end blahblah ---
    --- begin blahblah ---
    blahblah
    --- end blahblah ---



  • @Jimp, seems like a 'workaround' to me, though nice you found that to work 'as-is'.

    @DataGrafikk, thanks for reporting this issue and supplying the 'patch' to fix it.
    Your fix seems to me its the proper way to do it. Ill try and give it a testrun and include it in the package in a few days. (I don't have official certs which need an intermediate certificate, so ill have to figure out how generate some of my own.) Anyway i expect that within a week or so ill be able to test and add it.

    I don't think your missed something obvious. ;)

    Only the haproxy-devel package has SSL abilities, so the other haproxy packages are not affected.
    As for the haproxy-devel package itself. I guess when the certificateselection didn't exist and there was just 1 big memobox for the certificate it could have worked then. Though it wasn't very nice to configure it that way…

    Greets PiBa-NL



  • Hi DataGrafikk,

    Your fix is included in the online version, together with a button to recalculate the dependencies for the whole 'certificate chain'. As i noticed it sometimes failed to keep that correct/complete.

    Let me know if you find any other issues.

    Thanks,
    PiBa-NL.



  • jimp's solution/workaround worked for me.

    thx


Log in to reply