HAProxy and Intermediate SSL Certificate Issue

Question

We are currently experiencing an issue with verifying a Comodo SSL certificate on an Ubuntu AWS cluster. Browsers are displaying the site/content fine and showing all the relevant certificate information (at least, all the ones we've checked), but certain network proxies and the online SSL checkers are showing we have an incomplete chain.

We have tried the following to try to resolve this:

Upgraded haproxy to the latest 1.5.3
Created a concatenated ".pem" file containing all the certificate (site, intermediate, w/ and w/out root)
Added an explicit "ca-file" attribute to the "bind" line in our haproxy.cfg file.

The ".pem" file verifies OK using openssl. The various intermediate and root certificates are installed and showing in /etc/ssl/certs. But the checks still come back with an incomplete chain.

Can anyone advise about anything else we can check or any other changes we can make to try to fix this?

Many thanks in advance...

UPDATE: The only relevant line from the haproxy.cfg (I believe), is this one:

bind *:443 ssl crt /etc/ssl/domainaname.com.pem

UPDATE 2: Output from openssl s_client

CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = COMODO SSL, CN = www.domainname.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = COMODO SSL, CN = www.domainname.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = COMODO SSL, CN = www.domainname.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=COMODO SSL/CN=www.domainname.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SSL CA

The following are the contents of www.domainname.com.pem (being referenced in the haproxy config).

Bag Attributes
    localKeyID: 01 00 00 00
    friendlyName: www.domainname.com
subject=/OU=Domain Control Validated/OU=COMODO SSL/CN=www.domainname.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SSL CA
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
[...]
-----END INTERMEDIATE CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----

Please include the relevant part/s of your HAProxy config file. — ThatGraemeGuy, Aug 21 '14 at 14:37
The root should not be in the certificate file, only site cert and all intermediate in the correct order. — Steffen Ullrich, Aug 21 '14 at 15:20
@SteffenUllrich - sorry, I should have mentioned - I've tried that configuration, too. Original post modified. — Sam K, Aug 21 '14 at 15:45
what certificates are shown by `openssl s_client` if you connect to the site (list is on top of output)? — Steffen Ullrich, Aug 21 '14 at 16:16
@SteffenUllrich - output added as an update to the opening post. Thanks. — Sam K, Aug 26 '14 at 08:37
As you can see openssl s_client also sees only the first certificate. Are you are sure that you are using the correct intermediate certificate? From what I see it should be [this](https://ssl-tools.net/certificates/7l2r9t-comodo-ssl-ca). Also check that the intermediate certificate is correct by checking with `openssl x509`, maybe the data are corrupt. — Steffen Ullrich, Aug 26 '14 at 15:15

score 10 · Answer 1 · answered Jan 25 '16 at 13:05

Correct order to include intermediate certificates:

-----BEGIN PRIVATE KEY----- [Your private key] -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- [Your certificate] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [Intermidate#1 certificate] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [Intermidate#2 certificate] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [Root certificate] -----END CERTIFICATE-----

awk 1 ORS='\\n' ~/your_path/cert.pem

copy string

and paste to docker-compose.yml like that:

proxy: image: tutum/haproxy ports: - "80:80" - "443:443" environment: - "DEFAULT_SSL_CERT=-----BEGIN PRIVATE KEY-----\nMIIEvQIBADA......" links: - webapp

It's work for me.

score 1 · Accepted Answer · answered Aug 27 '14 at 12:43

FWIW, I managed to get to the bottom of this. The issue was the delimiters I had used for the various certificates in my .pem file.

The delimiter has to be exactly -----BEGIN/END CERTIFICATE----- - no "INTERMEDIATE" or "ROOT" or any of that.

Also, the working .pem for HAProxy includes all of the intermediate and root certificates in my chain - it seemed to be the only way to get them to all pick up.

score 0 · Answer 3 · answered Sep 02 '21 at 09:26

I've faced similar issue where client authentication should have been validated against intermediate certificate. Setup that works:

bind *:11029 ssl crt server.pem ca-file client_trusted.pem ca-verify-file client_trusted.chains.pem verify required

Here key points were:

ca-file contained all necessary intermediate certificates for our API gateway to validate client authentication against
ca-verify-file contained full chains for certificates in ca-file

HAProxy and Intermediate SSL Certificate Issue

3 Answers3