SL handshake failure (error:0A0000EA:SSL routines::callback failed)

Nov 18 12:37:05 mail haproxy[126258]: xx.yy.zzz.vvv:63965 [18/Nov/2023:12:37:05.468] http-in/2: SSL handshake failure (error:0A0000EA:SSL routines::callback failed)
Nov 18 12:47:14 mail haproxy[126258]: Proxy http-in stopped (cumulated conns: FE: 866, BE: 0).
Nov 18 12:47:14 mail haproxy[126258]: [WARNING]  (126258) : Proxy letsencrypt-backend stopped (cumulated conns: FE: 0, BE: 0).
Nov 18 12:47:14 mail haproxy[126258]: message repeated 2 times: [ Proxy http-in stopped (cumulated conns: FE: 866, BE: 0).]
Nov 18 12:47:14 mail haproxy[126258]: Proxy letsencrypt-backend stopped (cumulated conns: FE: 0, BE: 0).
Nov 18 12:47:14 mail haproxy[126258]: [WARNING]  (126258) : Proxy website-static stopped (cumulated conns: FE: 0, BE: 205).
Nov 18 12:47:14 mail haproxy[126258]: Proxy letsencrypt-backend stopped (cumulated conns: FE: 0, BE: 0).
Nov 18 12:47:14 mail haproxy[126258]: Proxy website-static stopped (cumulated conns: FE: 0, BE: 205).
Nov 18 12:47:14 mail haproxy[126258]: [WARNING]  (126258) : Proxy website stopped (cumulated conns: FE: 0, BE: 134).
Nov 18 12:47:14 mail haproxy[126258]: Proxy website-static stopped (cumulated conns: FE: 0, BE: 205).
Nov 18 12:47:14 mail haproxy[126258]: Proxy website stopped (cumulated conns: FE: 0, BE: 134).
Nov 18 12:47:14 mail haproxy[126258]: [WARNING]  (126258) : Proxy cmssite stopped (cumulated conns: FE: 0, BE: 3).
Nov 18 12:47:14 mail haproxy[126258]: Proxy website stopped (cumulated conns: FE: 0, BE: 134).
Nov 18 12:47:14 mail haproxy[126258]: Proxy cmssite stopped (cumulated conns: FE: 0, BE: 3).

Most probably some misconfiguration.

Here is my config:

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        pidfile /var/run/haproxy
        stats socket /var/run/haproxy/admin.sock level admin mode 660
        setenv ACCOUNT_THUMBPRINT 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        stats timeout 30s
        maxconn 4000
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/apache2/certs
        crt-base /etc/ssl/apache2/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
        ssl-dh-param-file /etc/haproxy/dhparams.pem
        ssl-default-bind-options no-sslv3
        ssl-skip-self-issued-ca

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http
    compression algo gzip
    compression type text/html text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy application/atom+xml application/javascript application/x-javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest
    balance roundrobin
    option dontlog-normal
    option dontlognull
    option httpclose
    option forwardfor

frontend http-in
    bind *:80
    bind *:443 ssl crt /etc/haproxy/certs/ strict-sni
    bind quic4@0.0.0.0:443 name quic443 ssl crt /etc/haproxy/certs/www.mydomain.org.pem proto quic alpn h3,h3-29,h3-28,h3-27 npn h3,h3-29,h3-28,h3-27 allow-0rtt curves secp521r1:secp384r1
    http-response add-header alt-svc 'h3=":443"; ma=7200,h3-29=":443"; ma=7200,h3-Q050=":443"; ma=7200,h3-Q046=":443"; ma=7200,h3-Q043=":443"; ma=7200,quic=":443"; ma=7200'

    http-request return status 200 content-type text/plain lf-string "%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_beg '/.well-known/acme-challenge/' }

    # Redirect if HTTPS is *not* used
    redirect scheme https code 301 if !{ ssl_fc }

    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
    use_backend letsencrypt-backend if letsencrypt-acl
    default_backend website

    log /dev/log local2 debug

    acl is_static       path_beg /export/ /opencms/ /resources/ /javadoc/ /VAADIN/ /workplace /opencms-login/
    acl is_website      hdr_beg(host) -i www.mydomain.org
    acl is_cmssite      hdr_beg(host) -i cms.mydomain.org
    use_backend website-static if is_website is_static
    use_backend website if is_website
    use_backend cmssite if is_cmssite

backend letsencrypt-backend
    server letsencrypt 127.0.0.1:8888

backend website-static
    server www.mydomain.org 127.0.0.1:8080

backend website
     http-request set-path /opencms%[path]
    server www.mydomain.org 127.0.0.1:8080
backend cmssite
     http-request set-path /opencms%[path]
    server cms.mydomain.org 127.0.0.1:8082

What is wrong?

1 post - 1 participant

Read full topic