"SSL client certificate not trusted" even with "ca-ignore-err all"

Hello!

In my setup, I want haproxy to accept mTLS connections, but not validate the client certificate chain at all. Instead, client’s certificate chain is validated in the backend (necessary because truststores are dynamic).

This is my bind configuration:

bind :8443 ssl crt-list /etc/haproxy/crt-list.txt ca-file /etc/haproxy/dummy-ca.crt verify optional no-ca-names ca-ignore-err all

The ca-file “/etc/haproxy/dummy-ca.crt” is, as the name suggests, a dummy/meaningless CA. I had to provide it otherwise haproxy refuses to offer mTLS (“verify optional”).

I added “ca-ignore-err all” to hint haproxy to ignore the CA validation.

This setup works only when the received client certificate chain has at least 2 certificates. When the client certificate chain has only 1 certificate, haproxy refuses the connection with:

Client error: SSL routines:ST_OK:tlsv1 alert unknown ca, errno 0
Server log: SSL client certificate not trusted

It is interesting that, even if I provide a self-signed client certificate (which could be a totally valid trust setup) haproxy simply refuses it. On the other hand, if I provide a chain of 2 certificates, it always accepts it, even if the root CA is not part of the chain.

I believe this behavior is the result of some weird interaction with OpenSSL. Does anyone have any clue? This is unfortunately a major block to me given that clients might authenticate with 1) self-signed certificates or 2) presenting solely the leaf certificate of a chain composed by only 2 certificates, which is also a totally valid scenario assuming the backend trusts the CA, but haproxy would also reject the connection.

Thank you! Appreciate any help!

Haproxy version:

HAProxy version 3.2.4-98813a1 2025/08/13 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2030.
Known bugs: http://www.haproxy.org/bugs/bugs-3.2.4.html
Running on: Linux 6.6.87-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.6.87-0gl0~bp1592 (2025-04-17) x86_64
Build options :
  TARGET  = linux-glibc
  CC      = cc
  CFLAGS  = -O2 -g -fwrapv
  OPTIONS = USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_PROMEX=1 USE_PCRE2=1 USE_PCRE2_JIT=1
  DEBUG   =

1 post - 1 participant

Read full topic