Situation:
I want this to work: requests come from clients and goes to haproxy through 443 port (ssl) and then it must go to backend on 80 port.
I have server certificate given by intermediate ca (ca1), ca1 certificate and client certificate. BUT I didn't find solution to request correct server certificate from windows certification authority to haproxy server(ubuntu). may be cause of templates. I requested from windows machine server certificate and copy it to haproxy.
AND PROBLEM IS HAProxy log have this error "ssl client ca chain cannot be verified"
config haproxy:
frontend https_frontend
bind 192.168.14.167:443 ssl crt /etc/haproxy/cert/request/server.pem ca-file /etc/haproxy/cert/request/ca1-certificate.pem verify optional crt-ignore-err all no-sslv3
mode http
log /dev/log local7
option httplog
use_backend web_server_1 if { ssl_fc_has_crt }
default_backend web_server_2
backend web_server_1
mode http
option httplog
server w7 192.168.11.109:80 check
backend web_server_2
mode http
option httplog
server xp 192.168.13.205:80 check
this scheme doesn't work.
additional info: log from winXP, where I ran opennssl
C:\OpenSSL-Win32\bin>openssl s_client -connect haproxy2:443 -cert client.pem -CAfile ca1-certificate.pem -state -showcerts
316:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:.\ssl\s3_pkt.c:1275:SSL alert number 48
316:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:184: ... cer info... Verify return code: 20 (unable to get local issuer certificate)
(sorry for my english if it bad) I have read many posts about it but didn't find solution.
