Bug #16348
openHAProxy adds wrong SSL filename prefix in the configuration file for ssl crt-list ca-file (SSL Offloading)
0%
Description
After the Update to the Netgate Releases BETA of pfSense Plus Software Version 25.03 HAProxy DEV and stable generated config files link to a SSL file that does not exist.
I'm running 25.07-RC, the file that does exist is: shared-frontend.pem (Without the prefix clientca_) Reverting to 24.11 resolves the issue!
On save this wrong path in the config is generated:
[ALERT] (45623) : config : Couldn't open the ca-file '/var/etc/haproxy_test/clientca_shared-frontend.pem' (No such file or directory).
[ALERT] (45623) : config : parsing [/var/etc/haproxy_test/haproxy.cfg:28] : 'bind 0.0.0.0:443' in section 'frontend' : 'ca-file' : unable to load /var/etc/haproxy_test/clientca_shared-frontend.pem
The relevant part of /var/etc/haproxy_test/haproxy.cfg
frontend shared-frontend
bind 0.0.0.0:443 name 0.0.0.0:443 ssl crt-list /var/etc/haproxy_test/shared-frontend.crt_list ca-file /var/etc/haproxy_test/clientca_hared-frontend.pem verify required crl-file /var/etc/haproxy_test/clientcrl_hared-frontend.pem
Updated by Jim Pingle 3 months ago
- Project changed from pfSense to pfSense Packages
- Category changed from Certificates to haproxy
- Release Notes deleted (
Default)
Updated by david solomon 20 days ago
Glad someone else stumbled upon this.
I am working with 2x Netgate 1541 in HA (25.0.7-1).
I have tested with ACME + HAProxy (stable 0.63_11 & devel 0.64_2 (3.0-dev13-f76e735))
To add from my testing, the .pem file uses the name you give the frontend as its base filename.
Example, if you named your frontend "companyweb_frontend" then the .pem would be created as /var/etc/haproxy_test/companyweb_frontend.pem.
I verified this by SSH and ls-ing /var/etc/haproxy_test/
For some reason, HAProxy (both stable & devel) are looking for /var/etc/haproxy_test/clientca_companyweb_frontend.pem.
I tried tricking this bug by renaming my frontend "clientca_companyweb_frontend", but then haproxy just started throwing ALERTs for not finding /var/etc/haproxy_test/clientca_clientca_companyweb_frontend.pem.
Seems whatever you name your frontend, HAProxy adds clientca_ to whatever your frontend name is.
Not sure if this helps, but these are my findings.