[SOLVED] HAProxy front end SSL certificate limit?

[akron]

Hi guys,

I am hoping someone could help me.

I have HA proxy configured and integrated with Lets Encrypt, 1 Front-end on port 443 and several back-ends, ACLs etc

However I just hit the mark of 30 SSLs added to the same front-end and once I try to add more I receive a error in config

any idea why there is a limit ?

Please see the picture attached.

Thanks

[franco]

Hi akron,

Notified maintainer.


Cheers,
Franco

[akron]

Hi akron,

Notified maintainer.


Cheers,
Franco

Thanks

any idea why is this happening? I'm open to speculation dont mind to try work around it...

Cheers

[franco]

The error would suggest one or all certificates are put on a single line, which causes the line read to fail at some point because the line buffer is too small.

It would be in the config file, you can see the line is too long, but I have no idea why.


Cheers,
Franco

[akron]

The error would suggest one or all certificates are put on a single line, which causes the line read to fail at some point because the line buffer is too small.

It would be in the config file, you can see the line is too long, but I have no idea why.


Cheers,
Franco

Humm I see, this only happens when I reach the 30 ssl mark, 29 ssls are fine, 30 gives the error. I can alternate the SSLs as long as i dont go over 30 everything works perfectly.

it would be a shame if there is no fix, this is such a great box OPNsense..

Cheers

[franco]

But the same holds true for 31 certs or 32... Could you check the actual config file to see why the line is overly long? It's what the error says, not that it's more than 29 certs.


Thanks,
Franco

[akron]

But the same holds true for 31 certs or 32... Could you check the actual config file to see why the line is overly long? It's what the error says, not that it's more than 29 certs.


Thanks,
Franco

Where is the config file location ?

[franco]

There are two paths in your screenshot, one for a .conf file and one for a .pem file.

[akron]

There are two paths in your screenshot, one for a .conf file and one for a .pem file.

Yes right 

so in the line 62 i have:

 bind PUBLIC IP:443 name PUBLIC IP:443 ssl crt /var/etc/haproxy/ssl/4435345346dcdd7a.pem crt /var/etc/haproxy/ssl/345353453534.pem crt /var/etc/haproxy/ssl/59294353454353572.pem crt /var/etc/haproxy/ssl/54354353453d.pem crt /var/etc/haproxy/ssl/3452342456.pem

and goes forever on that line until the last certificate.

is there any way to split that line into 63 and 64 so HAproxy can read it correctly ?

[franco]

Can you try this simple patch? https://github.com/opnsense/plugins/commit/bd96fcfe

From the root shell it installs via:

# opnsense-patch -c plugins bd96fcfe

After that, apply the configuration again.

If it doesn't work, run the patch command again to remove the patch.


Cheers,
Franco

[akron]

Can you try this simple patch? https://github.com/opnsense/plugins/commit/bd96fcfe

From the root shell it installs via:

# opnsense-patch -c plugins bd96fcfe

After that, apply the configuration again.

If it doesn't work, run the patch command again to remove the patch.


Cheers,
Franco

Thanks but it killed it 

reverted back...

I have some ssl enforced settings on the global config... not sure if i should take it back and then apply the patch again

[akron]

Can you try this simple patch? https://github.com/opnsense/plugins/commit/bd96fcfe

From the root shell it installs via:

# opnsense-patch -c plugins bd96fcfe

After that, apply the configuration again.

If it doesn't work, run the patch command again to remove the patch.


Cheers,
Franco

Thanks but it killed it 

reverted back...

I have some ssl enforced settings on the global config... not sure if i should take it back and then apply the patch again

Hi Franco,

Any other work around worth trying ?

Cheers

[franco]

Hi akron,

Looking at your output and the previous fix, the line escape was added, but the newline was missing. D'oh, sorry.

New try with *two* characters, instead of one:

https://github.com/opnsense/plugins/commit/00151b8

# opnsense-patch 00151b8


Cheers,
Franco

[akron]

Hi akron,

Looking at your output and the previous fix, the line escape was added, but the newline was missing. D'oh, sorry.

New try with *two* characters, instead of one:

https://github.com/opnsense/plugins/commit/00151b8

# opnsense-patch 00151b8


Cheers,
Franco

Thanks Franco however it says "fetch: https://github.com/opnsense/core/commit/00151b8.patch: Not Found
" 

I will apply this once the link its working and let you know the result.

Cheers

[franco]

# opnsense-patch -c plugins 00151b8

This is better...