I have a problem with one specific client which hits my haproxy load balancer. The error message in the haproxy logs:]
incoming_ssl/1: SSL handshake failure
The client in question seems to be some Apache Java client or ActiveMq server – either way, it's remote server which we have zero control over.
Using ssldump, I see these lines:
11 5 0.4152 (0.1649) C>S Alert
level fatal
value certificate_unknown
11 0.4152 (0.0000) C>S TCP FIN
Using curl / browser everything looks fine and I've done some ssl checks which report no such problems.
I've stripped as much out of my haproxy config file as possible to diagnose the issue. I've even tested hitting the backend (NodeJS) server directly which works fine – the client can connect. It's defo haproxy, I just don't know how I can fix it.
My basic haproxy conf file looks like this:
frontend incoming_ssl
bind *:443 ssl crt /etc/haproxy/cert.key ca-file /etc/haproxy/cert.pem ciphers ECDHE-RSA-AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM
acl flume hdr_dom(host) -i dom.ain.com
use_backend flume if flume
backend flume :80
server flume 10.40.14.1:8000 weight 1 maxconn 1000 check inter 2000
Have tried using ssl backend too – same issue. Have tried removing the cipher section too.
Am using godaddy certificates which seem ok for curl / browsers if a little annoying to set up.
Is there something else I can do to get this working? Am running the latest development haproxy 1.5 release 26 but have also tried other recent releases.
Best Answer
This client does not recognize the certificate as a valid one.
Godaddy intermediate certificates have to be included in the file loaded by the "crt".
Check that the whole certificate chain is properly included in the server's certificate:
From haproxy documentation for the "crt" keyword: