Been stuck for a few days and hope the forums will help!
I'm running HAproxy. When I don't enable the Client Certificate Auth on the HAproxy Public Service, everything works well. When I enable it, I get ERR_BAD_SSL_CLIENT_AUTH_CERT even though I have a valid client cert installed.
My setup:
I've created a root CA, intermediate CA, and a couple client certs (signed with the intermediate) on OPNsense.
I have a basic nginx vm running with a cert signed with my intermediate. I have installed the intermediate cert and a client cert on my Android phone.
When I try and connect with Chrome, I get asked to select a client cert, then it gives me the error message. It's like HAproxy doesn't check the CAs I selected. (please see attached pic.)
Here is what part of my HAproxy config file looks like:
# Frontend: homeproxy_frontend (homeproxy_frontend)
frontend homeproxy_frontend
bind 0.0.0.0:443 name 0.0.0.0:443 ssl ca-file /tmp/haproxy/ssl/6487e7ccd48e14.01589139.calist verify required crl-file /tmp/haproxy/ssl/6487e7ccd48e14.01589139.crllist crt-list /tmp/haproxy/ssl/6487e7ccd48e14.01589139.certlist
mode http
option http-keep-alive
default_backend homeproxy_backend
# logging options
# Backend: homeproxy_backend (homeproxy_backend)
backend homeproxy_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server homeproxy-server homeproxy.example.com ssl sni str(homeproxy.example.com) verify required ca-file /tmp/haproxy/ssl/64838ae1e21fe5.61086700.calist
I'm stumped as to why HAproxy doesn't like client cert auth. Anyone have any suggestions?
Thanks!
Just an update. I think I found the issue, but there's another problem.
When I go to Services: HAProxy: Maintenance: SSL Certificates tab, I don't see any certs there. The table is empty and it says, No Results Found! I've stopped and started the HAproxy service from the dashboard, restarted it, and I've rebooted OPNsense. I can't seem to get the certs loaded on this page. I've enabled the Cron job to sync SSL certs and nothing happened after the scheduled time.
Also, the two buttons for:
Show diff: Show difference between configured SSL certificates and SSL certificates from the running HAProxy service.
Apply changes: Apply all changes by syncing all shown SSL certificates into running HAProxy service.
When I click them, nothing happens.
Finally got it working.
In the Public Service, under Client Certificate Auth, I have it Enabled.
Verification: required
Certificate Authorities: I choose my intermediate CA in OPNsense
Certificate Revocation Lists: Nothing selected (Leave blank)
Just by changing the Revocation list to Nothing, it works!
I don't know what is going on since I don't have any revoked certs in the CRL.
But I did notice that in OPNsense System -> Trust -> Revocation that particular CRL says No under In Use.