Bug #7039


HAProxy backend configuration does not handle intermediate CAs properly

Added by St├ęphane Lapie over 7 years ago. Updated almost 2 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:


In HAProxy backend settings, when configuring a server, there is the option to have it validate SSL certificates against a specific CA.

This works without a single problem with a standard root CA, but when needing to validate a certificate with an intermediate CA, this does not work anymore.

I had this surprise when switching certificates :
  • Before : simple PKI infrastructure with a root CA, and a server certificate made from it, it worked.
  • After : complex PKI infrastructure with an offline root CA, an online intermediate CA, and a server certificate made from it, which results in a "SSL handshake failure" when checking the certificate.

Inspection of the configuration text file reveals that the backend server definition uses only the file containing the intermediate certificate authority.
Since this file does not include the root CA, obviously it can't do a complete verification of the trust chain, which would result in a SSL handshake failure.

On a separate note, when a certificate authority is affiliated to another certificate loaded in pfSense, the display is appropriate :

"CA: Intermediate CA (CA: ROOT CA)" 

But it does not generate a combined chain file that should contain certificates for both CAs (Root + Intermediate), which would be the proper expected behavior.

As a workaround I have disabled the SSL certificate check for the time being.

Actions #1

Updated by Neil Bortnak over 2 years ago

Submitted a PR to resolve this issue.

Actions #2

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Pull Request Review
Actions #3

Updated by Renato Botelho over 2 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho

PR has been merged. Thanks!

Actions #4

Updated by Renato Botelho almost 2 years ago

  • Assignee deleted (Renato Botelho)

Also available in: Atom PDF