1
High availability / HAProxy 4.3 Broken with Cloudflare Origin Cert and OCSP Automatic Update
« on: February 07, 2024, 06:57:58 pm »
I updated my OPNsense firmware yesterday to 24.1.1 and according to the changelog, that included an update to HAProxy, version 4.3 (2.8.5-aaba8d0). I didn't reboot until this morning and I noticed my HAProxy service was stopped. I tried restarting it to no avail so I went to settings and checked the syntax where I got the following error...
I googled and found the following issue on the HAProxy Github...
https://github.com/haproxy/haproxy/issues/2432
The issue being described in here is with regards to HAProxy producing this error message when evaluating a self-signed certificate with no URI declared in the pem file. This isn't my exact case as the Cloudflare origin cert I'm using does have a URI defined...
The workaround is to disable 'Automatic OCSP updates' under Settings > Global Parameters > SSL settings. This allows me to use my Cloudflare Origin cert and keep the SSL/TLS encryption mode in Cloudflare to Full(Strict).
I can also keep 'Automatic OCSP updates' turned on, use any self-signed certificate for the HTTPS frontend public service, and dial back my SSL/TLS encryption mode in Cloudflare to Full(Not Strict).
Is anyone else experiencing this issue?
Also, side note...
I followed the amazing guide by TheHellSite...
https://forum.opnsense.org/index.php?topic=23339.0
Looks like it was recently updated to state, "OCSP updates are now built into HAProxy. No external Cron job is necessary anymore." AND it instructs you to add 'strict-sni' to the SSL Offloading section on your https frontend. This breaks my websites. Why?
Code: [Select]
[NOTICE] (62651) : haproxy version is 2.8.5-aaba8d0
[NOTICE] (62651) : path to executable is /usr/local/sbin/haproxy
[ALERT] (62651) : config : parsing [/usr/local/etc/haproxy.conf.staging:73] : 'bind 127.4.4.3:443' in section 'frontend' : 'crt-list' : error processing line 1 in file '/tmp/haproxy/ssl/659dc76096fe83.76462299.certlist' : '/tmp/haproxy/ssl/65c3b55f42923.pem' has an OCSP URI and OCSP auto-update is set to 'on' but an error occurred (maybe the issuer could not be found)'.
[ALERT] (62651) : config : Error(s) found in configuration file : /usr/local/etc/haproxy.conf.staging
[ALERT] (62651) : config : Fatal errors found in configuration.
I googled and found the following issue on the HAProxy Github...
https://github.com/haproxy/haproxy/issues/2432
The issue being described in here is with regards to HAProxy producing this error message when evaluating a self-signed certificate with no URI declared in the pem file. This isn't my exact case as the Cloudflare origin cert I'm using does have a URI defined...
Code: [Select]
root@OPNsense:~ # openssl x509 -noout -text -in /tmp/haproxy/ssl/65c3b55f42923.pem | grep URI
OCSP - URI:http://ocsp.cloudflare.com/origin_ecc_ca
URI:http://crl.cloudflare.com/origin_ecc_ca.crl
The workaround is to disable 'Automatic OCSP updates' under Settings > Global Parameters > SSL settings. This allows me to use my Cloudflare Origin cert and keep the SSL/TLS encryption mode in Cloudflare to Full(Strict).
I can also keep 'Automatic OCSP updates' turned on, use any self-signed certificate for the HTTPS frontend public service, and dial back my SSL/TLS encryption mode in Cloudflare to Full(Not Strict).
Is anyone else experiencing this issue?
Also, side note...
I followed the amazing guide by TheHellSite...
https://forum.opnsense.org/index.php?topic=23339.0
Looks like it was recently updated to state, "OCSP updates are now built into HAProxy. No external Cron job is necessary anymore." AND it instructs you to add 'strict-sni' to the SSL Offloading section on your https frontend. This breaks my websites. Why?