Home / server / Questions / 623045
Accepted
Jonathan Oliver
Asked: 2014-08-22 04:40:57 +0800 CST

HAproxy 1.5 Trusted CAs

  • 772

I'm trying to get HAproxy 1.5.x to trust any certificate authority already in the trust store of the machine (/etc/ssl/certs) without having to explicitly specify the individual ca-file root authority certificate to be trusted. I want to avoid the scenario of a given backend server using a certificate issued by a different authority and causing an outage because that backend server is no longer trusted--despite the CA being in the machine trust store.

Within a given backend section of the haproxy.cfg file, the server line has an option called ca-file. This option instructs HAproxy to verify the authority of the backend's server certificate using the authority provided. The trouble is that this points to a single CA.

I found the ca-base option. Unless I'm mistaken, this is only a shortcut to avoid having to specify the full path of the ca-file at each declaration.

ssl

2 Answers

  1. Best Answer

    I recently hit this issue in 1.5.6 where I was receiving the error message

    verify is enabled by default but no CA file specified. If you're running on a LAN where you're certain to trust the server's certificate, please set an explicit 'verify none' statement on the 'server' line, or use 'ssl-server-verify none' in the global section to disable server-side verifications by default.

    This was related to not specifying a ca-file, which you cannot specify at the default-server level (according to the docs). I likewise did not want to think about service disruption should the backend endpoint have their cert re-issued by another CA.

    I solved this by pointing to the combined CA certificates file that your linux distro packages and neatly maintains for you. On debian, this file is /etc/ssl/certs/ca-certificates.crt, it's probably the same for you. (On RHEL7, check /etc/ssl/certs/ca-bundle.crt)

    global
    ca-base /etc/ssl/certs # debian
frontend f1
    use_backend b1
backend b1
    server s1 something.com:443 ssl verify required ca-file ca-certificates.crt
    • 7

  2. I think you misinterpret the significance of the ca-file.

    The CA is used to authorize clients, not your own backend servers.

    HAproxy does not make SSL connections to its backends (to my knowledge) - there are no handshakes, and no certificates for HAproxy to validate.

    The CA file is required if you or your client sets up a PKI to allow secure SSL connections from trusted clients only. You (or the client) will generate the CA certificate yourself, and use it to sign client certificates.

    Even in the rare case where several CAs are necessary for the same service, it seems to be possible to bundle those in one PEM file.

    • 0