Netgate SG-1000 microFirewall

Author Topic: haproxy with ssl offloading and acme fine, clientcerts from own CA ignored  (Read 94 times)

0 Members and 1 Guest are viewing this topic.

Offline oki

  • Newbie
  • *
  • Posts: 11
  • Karma: +1/-0
    • View Profile
Hi,
I configured HAProxy for SSL Offloading with Let's Encrypt certificates for multiple domains on one frontend IP. this works well with this Frontend acl and action:
  • ACL:acl_www.mydomain.net - Expression Host matches:, value: www.mydomain.net
  • Action:use Backend - condition acl names acl_www.mydomain.net, backend: BEmydomain

Now, I'd like to include SSL Client certificate verification for this one backend www.mydomain.net by:
  • created a CA with CN myCA on PFSense, created the CRL myCRL for this CA and created client certificates from newly generated CA.
  • in haproxy I configured for the Frontend SSL offloading server the SSL Offloading - client certificates part
    • checked allow clients without a certificate to connect (only one Backend should be checked)
    • Table Certificate authorities: fresh generated CA included
    • Table Client verification CRL: fresh generated CRL myCRL of fresh generated CA myCA included
  • Frontend ACLs added:
    • acl_ssl_c_required - Expression SSL Client issued by CA common-name, value: myCA
    • acl_ssl_c_expired - Expression SSL Client certificate verify error result, value: 10
    • acl_www.mydomain.net - Expression Host matches:, value: www.mydomain.net
  • Frontend Action table added:
    • use Backend - condition acl names acl_www.mydomain.net acl_ssl_c_required !acl_ssl_c_expired , value: myCA
    • acl_ssl_c_expired - Expression SSL Client certificate verify error result, value: 10
haproxy log reports always:
Dec 14 10:32:54 haproxy haproxy[54835]: {myClientIP}:32019 [14/Dec/2017:10:32:54.394] FE_ssl_offload/{pubicIP}:443: SSL handshake failure

in my /var/etc/haproxy/haproxy.cfg the frontend server starts with:
Code: [Select]
frontend FE_ssl_offload
bind {publicIP}:443 name {publicIP}:443 ssl no-sslv3 no-tlsv10 crt /var/etc/haproxy/FE_ssl_offload.pem crt /var/etc/haproxy/FE_ssl_offload ca-file /var/etc/haproxy/clientca_FE_ssl_offload.pem verify optional crl-file /var/etc/haproxy/clientcrl_FE_ssl_offload.pem 

I'm stucking in this since several days. can you enlight me?