24.1 breaks HAProxy Let's Encrypt setup

Started by mgrunwald, January 30, 2024, 05:11:05 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 30, 2024, 05:11:05 PM Last Edit: January 30, 2024, 06:37:41 PM by mgrunwald
The update from 23.7.12_5 to 24.1 breaks my HAProxy Let's Encrypt setup. I have multiple wildcard certificates in the ACME client and I use a CloudFlare DNS challenge. After the update the first certificate in the list is used for every connection and I get a NET::ERR_CERT_COMMON_NAME_INVALID error. Before the upgrade when I made a connection to a domain that was not covered by the first cert, the correct one was used. What is going on?

edit: after some troubleshooting I think I identified the problem and created a GitHub issue: https://github.com/opnsense/plugins/issues/3779
January 30, 2024, 07:30:45 PM #1
Happens with my HAProxy Installation aswell. Only the top Cert in the list is getting used.
January 30, 2024, 09:06:39 PM #2
I have same problem.

For those who wants back running HaProxy before fix will be issued:

1)locate in /tmp/haproxy/ssl file *.certlist
2)in that file remove all oscp suffix, leave just file on each row, save
3)SSH
killall haproxy
/usr/local/sbin/haproxy -q -f /usr/local/etc/haproxy.conf -p /var/run/haproxy.pid

HAProxy should be running fine.

This is not final solution, and any restart or save via GUI will overwrite that.
Just emergency solution to keep HAProxy running.
January 30, 2024, 09:32:47 PM #3
After study of source code, even more elegant solution is Settings->Global parameters->Automatic OSCP updates -> OFF
APPLY
STILL TEMPORARY FIX - oscp certificates not working in firefox, but better than nothing :)
January 30, 2024, 11:04:20 PM #4
February 04, 2024, 05:41:33 PM #5 Last Edit: February 04, 2024, 06:29:27 PM by blacksteel1288
I was experiencing this issue, but the hotfix seems to have addressed it, but I now see another problem related to it.

I'm now seeing a duplicate certificate for one domain in the HAProxy Public Service Certificates, even though there is only 1 certificate for that domain in the ACME plugin list. 

I've re-run the automation from the ACME service several times, but I'm still seeing two certificates in HAProxy when there should be only one.  Since the name is the same for both, I don't know which is correct.
February 05, 2024, 11:32:33 AM #6
Quote from: blacksteel1288 on February 04, 2024, 05:41:33 PM
I'm now seeing a duplicate certificate for one domain in the HAProxy Public Service Certificates, even though there is only 1 certificate for that domain in the ACME plugin list. 

os-haproxy displays all certificates from System->Trust->Certificates. You need to check this page to get more details about the duplicate certificate.

Besides that os-acme-client will also log a message if a certificate is imported into System->Trust->Certificates, so you should be able to trace this.
February 06, 2024, 03:43:22 PM #7
Thanks, yes, that's what I needed.  There was an old, expired certificate in the list for some reason.  I deleted it and now the list in haproxy looks fine.

I hadn't realized that was where the certificate list lived!

Thank you!
February 17, 2024, 05:30:21 PM #8
Hello to all,
The issue also occurs with my configuration. I have checked all the specified actions. Unfortunately, there was no success.
HA Proxy version 4.3 is installed.
Please kindly help me to fix this issue.
Thanks & best regards
Mathi
February 17, 2024, 06:17:01 PM #9 Last Edit: February 17, 2024, 06:19:47 PM by meyergru
See this and look at the last entry in the changelog here - the tutorial has been revised for 24.1, you have to set "strict-sni" now.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions