0

I am using HAproxy to terminate TLS (and later also load balance) RabbitMQ (MQTT). When I disable TLS it all works great. However, when I enable the TLS I get fe_mqtt/1: SSL handshake failure

The certificate I am using was issued by let's encrypt. The PEM file I am using is a concat of privkey.pem and fullchain.pem

What am I doing wrong?

Here's my HA proxy config

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    # generated 2020-05-20, Mozilla Guideline v5.4, HAProxy 2.0.3, OpenSSL 1.1.1d, modern configuration, no HSTS
    # https://ssl-config.mozilla.org/#server=haproxy&version=2.0.3&config=modern&openssl=1.1.1d&hsts=false&guideline=5.4
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets

    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets

defaults
    log global
    mode    tcp
    option  tcplog
    option  dontlognull
    timeout connect 10s
    timeout client  12m
    timeout server  10m

frontend fe_mqtt
    mode tcp
    bind *:8889 ssl crt /etc/letsencrypt/live/staging-mqtt.example.com/haproxy-combined.pem
    default_backend be_mqtt

backend be_mqtt
    server mqtt-broker 127.0.0.1:1883 send-proxy
ptheofan
  • 411
  • 1
  • 4
  • 6

1 Answers1

0

Looks like rabbit mq requiers in the default setup at least TLSv1. Your config allows only TLSv1.3

no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets

I suggest the following:

Aleksandar
  • 281
  • 1
  • 5