24.1 breaks HAProxy Let's Encrypt setup

[mgrunwald]

The update from 23.7.12_5 to 24.1 breaks my HAProxy Let's Encrypt setup. I have multiple wildcard certificates in the ACME client and I use a CloudFlare DNS challenge. After the update the first certificate in the list is used for every connection and I get a NET::ERR_CERT_COMMON_NAME_INVALID error. Before the upgrade when I made a connection to a domain that was not covered by the first cert, the correct one was used. What is going on?

edit: after some troubleshooting I think I identified the problem and created a GitHub issue: https://github.com/opnsense/plugins/issues/3779

[Benerages]

Happens with my HAProxy Installation aswell. Only the top Cert in the list is getting used.

[mnaim]

I have same problem.

For those who wants back running HaProxy before fix will be issued:

1)locate in /tmp/haproxy/ssl file *.certlist
2)in that file remove all oscp suffix, leave just file on each row, save
3)SSH
killall haproxy
/usr/local/sbin/haproxy -q -f /usr/local/etc/haproxy.conf -p /var/run/haproxy.pid

HAProxy should be running fine.

This is not final solution, and any restart or save via GUI will overwrite that.
Just emergency solution to keep HAProxy running.

[mnaim]

After study of source code, even more elegant solution is Settings->Global parameters->Automatic OSCP updates -> OFF
APPLY
STILL TEMPORARY FIX - oscp certificates not working in firefox, but better than nothing

[fraenki]

A hotfix is available:
https://github.com/opnsense/plugins/issues/3779#issuecomment-1917956814

[blacksteel1288]

I was experiencing this issue, but the hotfix seems to have addressed it, but I now see another problem related to it.

I'm now seeing a duplicate certificate for one domain in the HAProxy Public Service Certificates, even though there is only 1 certificate for that domain in the ACME plugin list. 

I've re-run the automation from the ACME service several times, but I'm still seeing two certificates in HAProxy when there should be only one.  Since the name is the same for both, I don't know which is correct.

[fraenki]

I'm now seeing a duplicate certificate for one domain in the HAProxy Public Service Certificates, even though there is only 1 certificate for that domain in the ACME plugin list. 

os-haproxy displays all certificates from System->Trust->Certificates. You need to check this page to get more details about the duplicate certificate.

Besides that os-acme-client will also log a message if a certificate is imported into System->Trust->Certificates, so you should be able to trace this.

[blacksteel1288]

Thanks, yes, that's what I needed.  There was an old, expired certificate in the list for some reason.  I deleted it and now the list in haproxy looks fine.

I hadn't realized that was where the certificate list lived!

Thank you!

[mathy1241]

Hello to all,
The issue also occurs with my configuration. I have checked all the specified actions. Unfortunately, there was no success.
HA Proxy version 4.3 is installed.
Please kindly help me to fix this issue.
Thanks & best regards
Mathi

[meyergru]

See this and look at the last entry in the changelog here - the tutorial has been revised for 24.1, you have to set "strict-sni" now.