OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • [SOLVED] HAProxy front end SSL certificate limit?
« previous next »
  • Print
Pages: [1] 2

Author Topic: [SOLVED] HAProxy front end SSL certificate limit?  (Read 10112 times)

akron

  • Jr. Member
  • **
  • Posts: 57
  • Karma: 2
    • View Profile
[SOLVED] HAProxy front end SSL certificate limit?
« on: July 20, 2017, 05:47:52 pm »
Hi guys,

I am hoping someone could help me.

I have HA proxy configured and integrated with Lets Encrypt, 1 Front-end on port 443 and several back-ends, ACLs etc

However I just hit the mark of 30 SSLs added to the same front-end and once I try to add more I receive a error in config

any idea why there is a limit ?

Please see the picture attached.

Thanks
« Last Edit: July 25, 2017, 05:58:19 pm by franco »
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13679
  • Karma: 1176
    • View Profile
Re: HAProxy front end SSL certificate limit?
« Reply #1 on: July 21, 2017, 10:30:57 am »
Hi akron,

Notified maintainer.


Cheers,
Franco
Logged

akron

  • Jr. Member
  • **
  • Posts: 57
  • Karma: 2
    • View Profile
Re: HAProxy front end SSL certificate limit?
« Reply #2 on: July 21, 2017, 12:48:38 pm »
Quote from: franco on July 21, 2017, 10:30:57 am
Hi akron,

Notified maintainer.


Cheers,
Franco

Thanks

any idea why is this happening? I'm open to speculation dont mind to try work around it...

Cheers
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13679
  • Karma: 1176
    • View Profile
Re: HAProxy front end SSL certificate limit?
« Reply #3 on: July 21, 2017, 12:51:53 pm »
The error would suggest one or all certificates are put on a single line, which causes the line read to fail at some point because the line buffer is too small.

It would be in the config file, you can see the line is too long, but I have no idea why.


Cheers,
Franco
Logged

akron

  • Jr. Member
  • **
  • Posts: 57
  • Karma: 2
    • View Profile
Re: HAProxy front end SSL certificate limit?
« Reply #4 on: July 21, 2017, 01:15:32 pm »
Quote from: franco on July 21, 2017, 12:51:53 pm
The error would suggest one or all certificates are put on a single line, which causes the line read to fail at some point because the line buffer is too small.

It would be in the config file, you can see the line is too long, but I have no idea why.


Cheers,
Franco

Humm I see, this only happens when I reach the 30 ssl mark, 29 ssls are fine, 30 gives the error. I can alternate the SSLs as long as i dont go over 30 everything works perfectly.

it would be a shame if there is no fix, this is such a great box OPNsense..

Cheers
« Last Edit: July 21, 2017, 01:19:14 pm by akron »
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13679
  • Karma: 1176
    • View Profile
Re: HAProxy front end SSL certificate limit?
« Reply #5 on: July 21, 2017, 02:17:29 pm »
But the same holds true for 31 certs or 32... Could you check the actual config file to see why the line is overly long? It's what the error says, not that it's more than 29 certs. :)


Thanks,
Franco
Logged

akron

  • Jr. Member
  • **
  • Posts: 57
  • Karma: 2
    • View Profile
Re: HAProxy front end SSL certificate limit?
« Reply #6 on: July 21, 2017, 02:43:46 pm »
Quote from: franco on July 21, 2017, 02:17:29 pm
But the same holds true for 31 certs or 32... Could you check the actual config file to see why the line is overly long? It's what the error says, not that it's more than 29 certs. :)


Thanks,
Franco

Where is the config file location ?
« Last Edit: July 21, 2017, 03:07:30 pm by akron »
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13679
  • Karma: 1176
    • View Profile
Re: HAProxy front end SSL certificate limit?
« Reply #7 on: July 21, 2017, 03:09:46 pm »
There are two paths in your screenshot, one for a .conf file and one for a .pem file.
Logged

akron

  • Jr. Member
  • **
  • Posts: 57
  • Karma: 2
    • View Profile
Re: HAProxy front end SSL certificate limit?
« Reply #8 on: July 21, 2017, 03:46:26 pm »
Quote from: franco on July 21, 2017, 03:09:46 pm
There are two paths in your screenshot, one for a .conf file and one for a .pem file.

Yes right  :)

so in the line 62 i have:

 bind PUBLIC IP:443 name PUBLIC IP:443 ssl crt /var/etc/haproxy/ssl/4435345346dcdd7a.pem crt /var/etc/haproxy/ssl/345353453534.pem crt /var/etc/haproxy/ssl/59294353454353572.pem crt /var/etc/haproxy/ssl/54354353453d.pem crt /var/etc/haproxy/ssl/3452342456.pem

and goes forever on that line until the last certificate.

is there any way to split that line into 63 and 64 so HAproxy can read it correctly ?
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13679
  • Karma: 1176
    • View Profile
Re: HAProxy front end SSL certificate limit?
« Reply #9 on: July 21, 2017, 05:34:36 pm »
Can you try this simple patch? https://github.com/opnsense/plugins/commit/bd96fcfe

From the root shell it installs via:

# opnsense-patch -c plugins bd96fcfe

After that, apply the configuration again.

If it doesn't work, run the patch command again to remove the patch.


Cheers,
Franco
Logged

akron

  • Jr. Member
  • **
  • Posts: 57
  • Karma: 2
    • View Profile
Re: HAProxy front end SSL certificate limit?
« Reply #10 on: July 21, 2017, 06:02:44 pm »
Quote from: franco on July 21, 2017, 05:34:36 pm
Can you try this simple patch? https://github.com/opnsense/plugins/commit/bd96fcfe

From the root shell it installs via:

# opnsense-patch -c plugins bd96fcfe

After that, apply the configuration again.

If it doesn't work, run the patch command again to remove the patch.


Cheers,
Franco

Thanks but it killed it  ;D

reverted back...

I have some ssl enforced settings on the global config... not sure if i should take it back and then apply the patch again
« Last Edit: July 21, 2017, 06:06:46 pm by akron »
Logged

akron

  • Jr. Member
  • **
  • Posts: 57
  • Karma: 2
    • View Profile
Re: HAProxy front end SSL certificate limit?
« Reply #11 on: July 24, 2017, 04:35:40 pm »
Quote from: akron on July 21, 2017, 06:02:44 pm
Quote from: franco on July 21, 2017, 05:34:36 pm
Can you try this simple patch? https://github.com/opnsense/plugins/commit/bd96fcfe

From the root shell it installs via:

# opnsense-patch -c plugins bd96fcfe

After that, apply the configuration again.

If it doesn't work, run the patch command again to remove the patch.


Cheers,
Franco

Thanks but it killed it  ;D

reverted back...

I have some ssl enforced settings on the global config... not sure if i should take it back and then apply the patch again

Hi Franco,

Any other work around worth trying ?

Cheers
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13679
  • Karma: 1176
    • View Profile
Re: HAProxy front end SSL certificate limit?
« Reply #12 on: July 24, 2017, 06:44:08 pm »
Hi akron,

Looking at your output and the previous fix, the line escape was added, but the newline was missing. D'oh, sorry.

New try with *two* characters, instead of one:

https://github.com/opnsense/plugins/commit/00151b8

# opnsense-patch 00151b8


Cheers,
Franco
Logged

akron

  • Jr. Member
  • **
  • Posts: 57
  • Karma: 2
    • View Profile
Re: HAProxy front end SSL certificate limit?
« Reply #13 on: July 24, 2017, 10:03:22 pm »
Quote from: franco on July 24, 2017, 06:44:08 pm
Hi akron,

Looking at your output and the previous fix, the line escape was added, but the newline was missing. D'oh, sorry.

New try with *two* characters, instead of one:

https://github.com/opnsense/plugins/commit/00151b8

# opnsense-patch 00151b8


Cheers,
Franco

Thanks Franco however it says "fetch: https://github.com/opnsense/core/commit/00151b8.patch: Not Found
"  :D

I will apply this once the link its working and let you know the result.

Cheers

Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13679
  • Karma: 1176
    • View Profile
Re: HAProxy front end SSL certificate limit?
« Reply #14 on: July 24, 2017, 10:11:01 pm »
# opnsense-patch -c plugins 00151b8

This is better...
Logged

  • Print
Pages: [1] 2
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • [SOLVED] HAProxy front end SSL certificate limit?
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2