Haproxy not presenting intermediate certificate

Hi

I am having a problem with one haproxy 3.2 instance. It is presenting only the leaf certificate to clients, rather than the leaf + intermediate certificate.

I am getting ‘incomplete chain’ warnings, and I would like to force haproxy sending the intermediate certificate together with the leaf certificate.

The certificate file contains:

• [ Private key ]
• [ Leaf certificate ]
• [ Intermediate certificate ]

openssl test (simulating client connection):

$ openssl s_client -showcerts -connect www.myorg.org:443 -servername www.myorg.org
CONNECTED(00000003)
depth=0 CN = www.myorg.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = www.myorg.org
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = www.myorg.org
verify return:1
---
Certificate chain
 0 s:CN = www.myorg.org
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Apr  3 00:00:00 2025 GMT; NotAfter: Apr  9 23:59:59 2026 GMT
-----BEGIN CERTIFICATE-----
MIIHJTCCBg2gAwIBAgIQDzJBDt6dB45B6e+/3xdzqjANBgkqhkiG9w0BAQsFADBg
(---snip---)
mq1q8NeH8G4b
-----END CERTIFICATE-----
---
Server certificate
subject=CN = www.myorg.org
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2671 bytes and written 395 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 8E(--snip--)D7
    Session-ID-ctx: 
    Resumption PSK: 8C(--snip--)D8
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ad d0 40 8e d9 09 29 ba-e8 fd 36 b5 93 72 05 ad   ..@...)...6..r..
(--snip--)
    0140 - ac a2 a5 7e 04 53 bd 17-06 84 b1 06 9d 62         ...~.S.......b

    Start Time: 1766049169
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 2F(--snip--)FB
    Session-ID-ctx: 
    Resumption PSK: 5ED(--snip--)96D
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - df 64 f2 d8 5b cc fc b0-f4 41 95 57 37 41 f9 d8   .d..[....A.W7A..
(--snip--)
    0140 - 7c 54 6e 19 eb eb e1 d7-ae 55 30 e8 f9 35         |Tn......U0..5

    Start Time: 1766049169
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

Querying the certificate file contents via haproxy CLI API:

Filename: /etc/haproxy/certs/myorg.org_202605.pem
Crt filename: /etc/haproxy/certs/myorg.org_202605.pem
Key filename: /etc/haproxy/certs/myorg.org_202605.pem
OCSP filename: /etc/haproxy/certs/myorg.org_202605.pem.ocsp
SCTL filename: /etc/haproxy/certs/myorg.org_202605.pem.sctl
Status: Used
Serial: 0FC9942D8B2C5C83BC945ADDD6FE106F
notBefore: Apr  7 00:00:00 2025 GMT
notAfter: May  8 23:59:59 2026 GMT
Subject Alternative Name: DNS:www.myorg.org, DNS:myorg.org
Algorithm: RSA4096
SHA1 FingerPrint: 19E3ACBFF0F559E3A442EC37B15E50D1CE9B42CD
Subject: /CN=www.myorg.org
Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL TLS RSA CA G1
Chain Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL TLS RSA CA G1
Chain Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
OCSP Response Key:

HAProxy version:

# haproxy -vvv
HAProxy version 3.2.9-1704369 2025/11/21 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2030.
Known bugs: http://www.haproxy.org/bugs/bugs-3.2.9.html
Running on: Linux 4.18.0-553.89.1.el8_10.x86_64 #1 SMP Fri Dec 12 10:42:53 UTC 2025 x86_64
Build options :
  TARGET  = linux-glibc
  CC      = cc
  CFLAGS  = -O2 -g -fwrapv
  OPTIONS = USE_THREAD=1 USE_LINUX_TPROXY=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_TFO=1 USE_NS=1 USE_QUIC=1 USE_PROMEX=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_QUIC_OPENSSL_COMPAT=1
  DEBUG   =

Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE -LIBATOMIC +LIBCRYPT +LINUX_CAP +LINUX_SPLICE +LINUX_TPROXY +LUA +MATH -MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_AWSLC -OPENSSL_WOLFSSL -OT +PCRE -PCRE2 -PCRE2_JIT +PCRE_JIT +POLL +PRCTL -PROCCTL +PROMEX -PTHREAD_EMULATION +QUIC +QUIC_OPENSSL_COMPAT +RT -SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL +ZLIB +ACME

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_TGROUPS=32, MAX_THREADS=1024, default=1).
Built with SSL library version : OpenSSL 3.5.4 30 Sep 2025
Running on SSL library version : OpenSSL 3.5.4 30 Sep 2025
SSL library supports TLS extensions : yes
SSL library supports SNI : yes
SSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
OpenSSL providers loaded : default
QUIC: connection socket-owner mode support : yes
QUIC: GSO emission support : no
Built with Lua version : Lua 5.4.7
Built with the Prometheus exporter as a service
Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE version : 8.42 2018-03-20
Running on PCRE version : 8.42 2018-03-20
PCRE library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 8.5.0 20210514 (Red Hat 8.5.0-28)

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
       quic : mode=HTTP  side=FE     mux=QUIC  flags=HTX|NO_UPG|FRAMED
         h2 : mode=HTTP  side=FE|BE  mux=H2    flags=HTX|HOL_RISK|NO_UPG
  <default> : mode=HTTP  side=FE|BE  mux=H1    flags=HTX
         h1 : mode=HTTP  side=FE|BE  mux=H1    flags=HTX|NO_UPG
       fcgi : mode=HTTP  side=BE     mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
  <default> : mode=SPOP  side=BE     mux=SPOP  flags=HOL_RISK|NO_UPG
       spop : mode=SPOP  side=BE     mux=SPOP  flags=HOL_RISK|NO_UPG
  <default> : mode=TCP   side=FE|BE  mux=PASS  flags=
       none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG

Available services : prometheus-exporter
Available filters :
        [BWLIM] bwlim-in
        [BWLIM] bwlim-out
        [CACHE] cache
        [COMP] compression
        [FCGI] fcgi-app
        [SPOE] spoe
        [TRACE] trace

haproxy is running on Alma Linux 8.

Any ideas?

1 post - 1 participant

Read full topic