HAProxy backend configuration does not handle intermediate CAs properly
In HAProxy backend settings, when configuring a server, there is the option to have it validate SSL certificates against a specific CA.
This works without a single problem with a standard root CA, but when needing to validate a certificate with an intermediate CA, this does not work anymore.I had this surprise when switching certificates :
- Before : simple PKI infrastructure with a root CA, and a server certificate made from it, it worked.
- After : complex PKI infrastructure with an offline root CA, an online intermediate CA, and a server certificate made from it, which results in a "SSL handshake failure" when checking the certificate.
Inspection of the configuration text file reveals that the backend server definition uses only the file containing the intermediate certificate authority.
Since this file does not include the root CA, obviously it can't do a complete verification of the trust chain, which would result in a SSL handshake failure.
On a separate note, when a certificate authority is affiliated to another certificate loaded in pfSense, the display is appropriate :
"CA: Intermediate CA (CA: ROOT CA)"
But it does not generate a combined chain file that should contain certificates for both CAs (Root + Intermediate), which would be the proper expected behavior.
As a workaround I have disabled the SSL certificate check for the time being.