[SOLVED] HAProxy front end SSL certificate limit?

Started by akron, July 20, 2017, 05:47:52 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
July 20, 2017, 05:47:52 PM Last Edit: July 25, 2017, 05:58:19 PM by franco
Hi guys,

I am hoping someone could help me.

I have HA proxy configured and integrated with Lets Encrypt, 1 Front-end on port 443 and several back-ends, ACLs etc

However I just hit the mark of 30 SSLs added to the same front-end and once I try to add more I receive a error in config

any idea why there is a limit ?

Please see the picture attached.

Thanks
July 21, 2017, 10:30:57 AM #1
Hi akron,

Notified maintainer.


Cheers,
Franco
July 21, 2017, 12:48:38 PM #2
Quote from: franco on July 21, 2017, 10:30:57 AM
Hi akron,

Notified maintainer.


Cheers,
Franco

Thanks

any idea why is this happening? I'm open to speculation dont mind to try work around it...

Cheers
July 21, 2017, 12:51:53 PM #3
The error would suggest one or all certificates are put on a single line, which causes the line read to fail at some point because the line buffer is too small.

It would be in the config file, you can see the line is too long, but I have no idea why.


Cheers,
Franco
July 21, 2017, 01:15:32 PM #4 Last Edit: July 21, 2017, 01:19:14 PM by akron
Quote from: franco on July 21, 2017, 12:51:53 PM
The error would suggest one or all certificates are put on a single line, which causes the line read to fail at some point because the line buffer is too small.

It would be in the config file, you can see the line is too long, but I have no idea why.


Cheers,
Franco

Humm I see, this only happens when I reach the 30 ssl mark, 29 ssls are fine, 30 gives the error. I can alternate the SSLs as long as i dont go over 30 everything works perfectly.

it would be a shame if there is no fix, this is such a great box OPNsense..

Cheers
July 21, 2017, 02:17:29 PM #5
But the same holds true for 31 certs or 32... Could you check the actual config file to see why the line is overly long? It's what the error says, not that it's more than 29 certs. :)


Thanks,
Franco
July 21, 2017, 02:43:46 PM #6 Last Edit: July 21, 2017, 03:07:30 PM by akron
Quote from: franco on July 21, 2017, 02:17:29 PM
But the same holds true for 31 certs or 32... Could you check the actual config file to see why the line is overly long? It's what the error says, not that it's more than 29 certs. :)


Thanks,
Franco

Where is the config file location ?
July 21, 2017, 03:09:46 PM #7
There are two paths in your screenshot, one for a .conf file and one for a .pem file.
July 21, 2017, 03:46:26 PM #8
Quote from: franco on July 21, 2017, 03:09:46 PM
There are two paths in your screenshot, one for a .conf file and one for a .pem file.

Yes right  :)

so in the line 62 i have:

bind PUBLIC IP:443 name PUBLIC IP:443 ssl crt /var/etc/haproxy/ssl/4435345346dcdd7a.pem crt /var/etc/haproxy/ssl/345353453534.pem crt /var/etc/haproxy/ssl/59294353454353572.pem crt /var/etc/haproxy/ssl/54354353453d.pem crt /var/etc/haproxy/ssl/3452342456.pem

and goes forever on that line until the last certificate.

is there any way to split that line into 63 and 64 so HAproxy can read it correctly ?
July 21, 2017, 05:34:36 PM #9
Can you try this simple patch? https://github.com/opnsense/plugins/commit/bd96fcfe

From the root shell it installs via:

# opnsense-patch -c plugins bd96fcfe

After that, apply the configuration again.

If it doesn't work, run the patch command again to remove the patch.


Cheers,
Franco
July 21, 2017, 06:02:44 PM #10 Last Edit: July 21, 2017, 06:06:46 PM by akron
Quote from: franco on July 21, 2017, 05:34:36 PM
Can you try this simple patch? https://github.com/opnsense/plugins/commit/bd96fcfe

From the root shell it installs via:

# opnsense-patch -c plugins bd96fcfe

After that, apply the configuration again.

If it doesn't work, run the patch command again to remove the patch.


Cheers,
Franco

Thanks but it killed it  ;D

reverted back...

I have some ssl enforced settings on the global config... not sure if i should take it back and then apply the patch again
July 24, 2017, 04:35:40 PM #11
Quote from: akron on July 21, 2017, 06:02:44 PM
Quote from: franco on July 21, 2017, 05:34:36 PM
Can you try this simple patch? https://github.com/opnsense/plugins/commit/bd96fcfe

From the root shell it installs via:

# opnsense-patch -c plugins bd96fcfe

After that, apply the configuration again.

If it doesn't work, run the patch command again to remove the patch.


Cheers,
Franco

Thanks but it killed it  ;D

reverted back...

I have some ssl enforced settings on the global config... not sure if i should take it back and then apply the patch again

Hi Franco,

Any other work around worth trying ?

Cheers
July 24, 2017, 06:44:08 PM #12
Hi akron,

Looking at your output and the previous fix, the line escape was added, but the newline was missing. D'oh, sorry.

New try with *two* characters, instead of one:

https://github.com/opnsense/plugins/commit/00151b8

# opnsense-patch 00151b8


Cheers,
Franco
July 24, 2017, 10:03:22 PM #13
Quote from: franco on July 24, 2017, 06:44:08 PM
Hi akron,

Looking at your output and the previous fix, the line escape was added, but the newline was missing. D'oh, sorry.

New try with *two* characters, instead of one:

https://github.com/opnsense/plugins/commit/00151b8

# opnsense-patch 00151b8


Cheers,
Franco

Thanks Franco however it says "fetch: https://github.com/opnsense/core/commit/00151b8.patch: Not Found
"  :D

I will apply this once the link its working and let you know the result.

Cheers

July 24, 2017, 10:11:01 PM #14
# opnsense-patch -c plugins 00151b8

This is better...
Print
Go Up Pages1 2
User actions