1
General Discussion / [Solved] HAproxy Client Certificate Auth not working as expected
« on: June 13, 2023, 06:50:01 am »
Been stuck for a few days and hope the forums will help!
I'm running HAproxy. When I don't enable the Client Certificate Auth on the HAproxy Public Service, everything works well. When I enable it, I get ERR_BAD_SSL_CLIENT_AUTH_CERT even though I have a valid client cert installed.
My setup:
I've created a root CA, intermediate CA, and a couple client certs (signed with the intermediate) on OPNsense.
I have a basic nginx vm running with a cert signed with my intermediate. I have installed the intermediate cert and a client cert on my Android phone.
When I try and connect with Chrome, I get asked to select a client cert, then it gives me the error message. It's like HAproxy doesn't check the CAs I selected. (please see attached pic.)
Here is what part of my HAproxy config file looks like:
I'm stumped as to why HAproxy doesn't like client cert auth. Anyone have any suggestions?
Thanks!
I'm running HAproxy. When I don't enable the Client Certificate Auth on the HAproxy Public Service, everything works well. When I enable it, I get ERR_BAD_SSL_CLIENT_AUTH_CERT even though I have a valid client cert installed.
My setup:
I've created a root CA, intermediate CA, and a couple client certs (signed with the intermediate) on OPNsense.
I have a basic nginx vm running with a cert signed with my intermediate. I have installed the intermediate cert and a client cert on my Android phone.
When I try and connect with Chrome, I get asked to select a client cert, then it gives me the error message. It's like HAproxy doesn't check the CAs I selected. (please see attached pic.)
Here is what part of my HAproxy config file looks like:
Code: [Select]
# Frontend: homeproxy_frontend (homeproxy_frontend)
frontend homeproxy_frontend
bind 0.0.0.0:443 name 0.0.0.0:443 ssl ca-file /tmp/haproxy/ssl/6487e7ccd48e14.01589139.calist verify required crl-file /tmp/haproxy/ssl/6487e7ccd48e14.01589139.crllist crt-list /tmp/haproxy/ssl/6487e7ccd48e14.01589139.certlist
mode http
option http-keep-alive
default_backend homeproxy_backend
# logging options
# Backend: homeproxy_backend (homeproxy_backend)
backend homeproxy_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server homeproxy-server homeproxy.example.com ssl sni str(homeproxy.example.com) verify required ca-file /tmp/haproxy/ssl/64838ae1e21fe5.61086700.calist
I'm stumped as to why HAproxy doesn't like client cert auth. Anyone have any suggestions?
Thanks!