Project

General

Profile

Actions
Copy link

Bug #16348

open

HAProxy adds wrong SSL filename prefix in the configuration file for ssl crt-list ca-file (SSL Offloading)

Added by Daniel van der Wal 3 months ago. Updated 20 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
haproxy
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.8.x
Affected Plus Version:
Affected Architecture:
amd64

Description

After the Update to the Netgate Releases BETA of pfSense Plus Software Version 25.03 HAProxy DEV and stable generated config files link to a SSL file that does not exist.
I'm running 25.07-RC, the file that does exist is: shared-frontend.pem (Without the prefix clientca_) Reverting to 24.11 resolves the issue!

On save this wrong path in the config is generated:

[ALERT] (45623) : config : Couldn't open the ca-file '/var/etc/haproxy_test/clientca_shared-frontend.pem' (No such file or directory).
[ALERT] (45623) : config : parsing [/var/etc/haproxy_test/haproxy.cfg:28] : 'bind 0.0.0.0:443' in section 'frontend' : 'ca-file' : unable to load /var/etc/haproxy_test/clientca_shared-frontend.pem

The relevant part of /var/etc/haproxy_test/haproxy.cfg

frontend shared-frontend
bind 0.0.0.0:443 name 0.0.0.0:443 ssl crt-list /var/etc/haproxy_test/shared-frontend.crt_list ca-file /var/etc/haproxy_test/clientca_hared-frontend.pem verify required crl-file /var/etc/haproxy_test/clientcrl_hared-frontend.pem

Actions
Copy link
 #1

Updated by Jim Pingle 3 months ago

  • Project changed from pfSense to pfSense Packages
  • Category changed from Certificates to haproxy
  • Release Notes deleted (Default)
Actions
Copy link
 #2

Updated by david solomon 20 days ago

Glad someone else stumbled upon this.

I am working with 2x Netgate 1541 in HA (25.0.7-1).
I have tested with ACME + HAProxy (stable 0.63_11 & devel 0.64_2 (3.0-dev13-f76e735))

To add from my testing, the .pem file uses the name you give the frontend as its base filename.
Example, if you named your frontend "companyweb_frontend" then the .pem would be created as /var/etc/haproxy_test/companyweb_frontend.pem.
I verified this by SSH and ls-ing /var/etc/haproxy_test/

For some reason, HAProxy (both stable & devel) are looking for /var/etc/haproxy_test/clientca_companyweb_frontend.pem.
I tried tricking this bug by renaming my frontend "clientca_companyweb_frontend", but then haproxy just started throwing ALERTs for not finding /var/etc/haproxy_test/clientca_clientca_companyweb_frontend.pem.

Seems whatever you name your frontend, HAProxy adds clientca_ to whatever your frontend name is.

Not sure if this helps, but these are my findings.

Actions
Copy link

Also available in: Atom PDF