Project

General

Profile

Actions
Copy link

Bug #16348

open

HAProxy configuration references non-existent certificate files

Added by Daniel van der Wal 3 months ago. Updated 6 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
Marcos M
Category:
haproxy
Target version:
pfSense - 2.9.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
25.11
Affected Version:
2.8.0
Affected Plus Version:
24.03
Affected Architecture:

Description

After the Update to the Netgate Releases BETA of pfSense Plus Software Version 25.03 HAProxy DEV and stable generated config files link to a SSL file that does not exist.
I'm running 25.07-RC, the file that does exist is: shared-frontend.pem (Without the prefix clientca_) Reverting to 24.11 resolves the issue!

On save this wrong path in the config is generated:

[ALERT] (45623) : config : Couldn't open the ca-file '/var/etc/haproxy_test/clientca_shared-frontend.pem' (No such file or directory).
[ALERT] (45623) : config : parsing [/var/etc/haproxy_test/haproxy.cfg:28] : 'bind 0.0.0.0:443' in section 'frontend' : 'ca-file' : unable to load /var/etc/haproxy_test/clientca_shared-frontend.pem

The relevant part of /var/etc/haproxy_test/haproxy.cfg

frontend shared-frontend
bind 0.0.0.0:443 name 0.0.0.0:443 ssl crt-list /var/etc/haproxy_test/shared-frontend.crt_list ca-file /var/etc/haproxy_test/clientca_hared-frontend.pem verify required crl-file /var/etc/haproxy_test/clientcrl_hared-frontend.pem

Files

2025-11-02_09-44-56.png (214 KB) 2025-11-02_09-44-56.png Screenshot Roland Hoesel, 11/02/2025 08:51 AM
Actions
Copy link
 #1

Updated by Jim Pingle 3 months ago

  • Project changed from pfSense to pfSense Packages
  • Category changed from Certificates to haproxy
  • Release Notes deleted (Default)
Actions
Copy link
 #2

Updated by david solomon about 1 month ago

Glad someone else stumbled upon this.

I am working with 2x Netgate 1541 in HA (25.0.7-1).
I have tested with ACME + HAProxy (stable 0.63_11 & devel 0.64_2 (3.0-dev13-f76e735))

To add from my testing, the .pem file uses the name you give the frontend as its base filename.
Example, if you named your frontend "companyweb_frontend" then the .pem would be created as /var/etc/haproxy_test/companyweb_frontend.pem.
I verified this by SSH and ls-ing /var/etc/haproxy_test/

For some reason, HAProxy (both stable & devel) are looking for /var/etc/haproxy_test/clientca_companyweb_frontend.pem.
I tried tricking this bug by renaming my frontend "clientca_companyweb_frontend", but then haproxy just started throwing ALERTs for not finding /var/etc/haproxy_test/clientca_clientca_companyweb_frontend.pem.

Seems whatever you name your frontend, HAProxy adds clientca_ to whatever your frontend name is.

Not sure if this helps, but these are my findings.

Actions
Copy link
 #3

Updated by Steve Wheeler 16 days ago

  • Plus Target Version set to 25.11
  • Affected Plus Version set to 25.11

Hitting this in 25.11 beta builds.

[ALERT] (30024) : config : Couldn't open the ca-file '/var/etc/haproxy_test/clientca_Test_FE1.pem' (No such file or directory).
[ALERT] (30024) : config : parsing [/var/etc/haproxy_test/haproxy.cfg:26] : 'bind 172.21.16.246:4443' in section 'frontend' : 'ca-file' : unable to load /var/etc/haproxy_test/clientca_Test_FE1.pem
[ALERT] (30024) : config : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg
[ALERT] (30024) : config : Fatal errors found in configuration.

It appears to be looking for a client CA when none is configured in the package gui.

Actions
Copy link
 #4

Updated by Danilo Zrenjanin 11 days ago

I couldn't replicate it.

Tested against:

25.07.1-RELEASE (amd64)
built on Fri Oct 24 14:27:00 UTC 2025
FreeBSD 15.0-CURRENT

HAproxy Installed version2.9.14-7c591d5

I tested with an Acme certificate with the frontend in SSL offloading enabled.

 # Automaticaly generated, dont edit manually.
# Generated on: 2025-11-01 18:32
global
    maxconn            1000
    stats socket /tmp/haproxy.socket level admin  expose-fd listeners
    uid            80
    gid            80
    nbthread            1
    hard-stop-after        15m
    chroot                /tmp/haproxy_chroot
    daemon
    server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
    bind 127.0.0.1:2200 name localstats
    mode http
    stats enable
    stats admin if TRUE
    stats show-legends
    stats uri /haproxy/haproxy_stats.php?haproxystats=1
    timeout client 5000
    timeout connect 5000
    timeout server 5000

frontend test_LAB
    bind            192.168.33.10:443 name 192.168.33.10:443   ssl crt-list /var/etc/haproxy/test_LAB.crt_list  
    mode            http
    log            global
    option            http-keep-alive
    timeout client        30000
    acl            acl1    var(txn.txnhost) -m str -i testlab.ipbgd.com
    acl            aclcrt_test_LAB    var(txn.txnhost) -m reg -i ^testlab\.ipbgd\.com(:([0-9]){1,5})?$
    http-request set-var(txn.txnhost) hdr(host)
    use_backend backend1_ipvANY  if  acl1 aclcrt_test_LAB

backend backend1_ipvANY
    mode            http
    id            100
    log            global
    http-check        send meth GET
    timeout connect        30000
    timeout server        30000
    retries            3
    load-server-state-from-file    global
    option            httpchk
    server            backend1 192.168.10.1:80 id 101 check inter 1000

The service starts normally with no error logs.

Actions
Copy link
 #5

Updated by Danilo Zrenjanin 11 days ago

However, I worked on a customer's firewall with the same setup as mine. The HAProxy fails, as reported in this bug report.

Actions
Copy link
 #6

Updated by Roland Hoesel 10 days ago

Can confirm this issue it was our firewall Danilo Zrenjanin worked on.

we rolled back to :
24.11-RELEASE (amd64)
built on Fri Nov 22 5:34:00 CET 2024

everything is working as expected on 24.11 - haproxy 2.9.14-7c591d5

Hardware : Netgate 8200

the issue with prefix clientca_was opened 3 Month ago by Daniel van der Wal by and still exits in BETA 25.11,
maybe development team can prioritize this bug?

Actions
Copy link
 #7

Updated by Roland Hoesel 10 days ago

Multi-Instance Management service was enabled on our BOX, perhaps this information will be helpful.

Actions
Copy link
 #8

Updated by Marcos M 9 days ago

  • Subject changed from HAProxy adds wrong SSL filename prefix in the configuration file for ssl crt-list ca-file (SSL Offloading) to HAProxy configuration references non-existent certificate files
  • Status changed from New to In Progress
  • Assignee set to Marcos M
  • Target version set to 2.9.0
  • Affected Version changed from 2.8.x to 2.8.0
  • Affected Plus Version changed from 25.11 to 24.03
  • Affected Architecture deleted (amd64)
Actions
Copy link
 #9

Updated by Marcos M 9 days ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100

The file names haven't changed. this is a regression resulting from the configuration access changes some versions ago which exposed an issue that was previously effectively ignored. This should be fixed with:
https://github.com/pfsense/FreeBSD-ports/commit/8b8e6ab4b5389ae54577ad32cbb0f9163a07b289
https://github.com/pfsense/FreeBSD-ports/commit/b36481ded8e96828dbb0eecc73809dfcbc742aa5

Actions
Copy link
 #11

Updated by Marcos M 6 days ago

  • Private changed from Yes to No
Actions
Copy link

Also available in: Atom PDF