Hello,
We’ve got a server on Debian 12 with HAProxy version 3.1.5.
In haproxy.cfg file, we have an HTTPS frontend which looks like this :
mode http
log-format "${HAPROXY_HTTP_LOG_FMT} [SSL] USED:%{+Q}[ssl_c_used] VERIF:%{+Q}[ssl_c_verify] DN:%{+Q}[ssl_c_s_dn] ISSUER:%{+Q}[ssl_c_i_dn]"
bind *:443 ssl crt /myfolder/ssl/certs strict-sni ca-file /myfolder/ssl/CA/trusted_ca.pem verify optional crl-file /myfolder/ssl/CRL/crl2.pem crl-file /myfolder/ssl/CRL/crl1.pem
The folder “/myfolder/ssl/certs” contains many server certficates. File “trusted_ca.pem” contains all the certification authorities that issued the certificates.
We are using “verify optional” because we have servers that need to be protected by SSL client authentication and others that don’t.
Problem: some legitimate client connections seem to be blocked with the following reason :
xxx.xxx.xxx.xxx:14648 [28/Feb/2025:08:12:23.949] https/1: SSL client certificate not trusted
We are pretty sure that we have included all the necessary authorities in the “trusted_ca.pem” file.
And when we have this error, no information about the content of the certificate presented is displayed in log (no DN, no issuer…) ! The “log-format” directive doesn’t seem to be working with SSL error.
Question : how to have more informations about the client certificate even if a connection error occurs ?
Thank you for your help
1 post - 1 participant