Trouble of interconnecting haproxy via https

Hello,

I have two haproxys, with configuration like:

frontend-haproxy:

global
master-worker
log stderr local1

defaults
mode http
log global
option httpslog
frontend http-frontend
bind 10.0.139.144:8080
default_backend luke

backend luke
server luke 10.0.139.144:21443 ssl verify required verifyhost 10.0.139.144 ca-file ca.pem crl-file crl.pem

backend-haproxy.cfg:

global
master-worker
log stderr local1

defaults
log global
mode http
option httpslog

frontend https
bind 10.0.139.144:21443 ssl crt bundle.pem alpn h2

The provided bundle verifies against the CA:

openssl verify -CAfile ca.pem bundle.pem
bundle.pem: OK

Also when I use curl to access the backend-haproxy it work well:

curl -v --cacert ca.pem https://10.0.139.144:21443/
*   Trying 10.0.139.144:21443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust Anchors:
*   CAfile: ca.pem
*   CApath: /opt/slapgrid/shared/openssl-3.5/2f7e00a8b6299d8d384f8bcd1add06a4/etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*   subject: O=rapid-cdn 001 @ COMP-4338; OU=caddy-frontend-1; CN=10.0.139.144
*   start date: Jan 14 14:03:59 2026 GMT
*   expire date: Apr 17 14:03:59 2026 GMT
*   issuer: CN=Caucase CAS at 10.0.139.144:8990
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*  common name: 10.0.139.144 (matched)
* SSL certificate verified via OpenSSL.
* Established connection to 10.0.139.144 (10.0.139.144 port 21443) from 10.0.139.144 port 34492
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://10.0.139.144:21443/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: 10.0.139.144:21443]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.17.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: 10.0.139.144:21443
> User-Agent: curl/8.17.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Request completely sent off
< HTTP/2 503
< content-length: 107
< cache-control: no-cache
< content-type: text/html
<
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
* Connection #0 to host 10.0.139.144:21443 left intact

But when I access it from the frontend haproxy like:

curl http://10.0.139.144:8080/

Then frontend haproxy logs:

00000003:http-frontend.accept(0005)=001e from [10.0.139.144:37720] ALPN=<none>
00000003:http-frontend.clireq[001e:ffffffff]: GET / HTTP/1.1
00000003:http-frontend.clihdr[001e:ffffffff]: host: 10.0.139.144:8080
00000003:http-frontend.clihdr[001e:ffffffff]: user-agent: curl/8.17.0
00000003:http-frontend.clihdr[001e:ffffffff]: accept: */*
[03|ssl|0|l_sock.c:5621] Other error
fd[0x1f] OpenSSL error[0xa000086] tls_post_process_server_certificate: certificate verify failed
[03|ssl|0|l_sock.c:5695] handshake error
[03|ssl|0|l_sock.c:5621] Other error
fd[0x1f] OpenSSL error[0xa000086] tls_post_process_server_certificate: certificate verify failed
[03|ssl|0|l_sock.c:5695] handshake error
[03|ssl|0|l_sock.c:5621] Other error
fd[0x1f] OpenSSL error[0xa000086] tls_post_process_server_certificate: certificate verify failed
[03|ssl|0|l_sock.c:5695] handshake error
[03|ssl|0|l_sock.c:5621] Other error
fd[0x1f] OpenSSL error[0xa000086] tls_post_process_server_certificate: certificate verify failed
[03|ssl|0|l_sock.c:5695] handshake error
00000003:luke.clicls[001e:001f]
00000003:luke.closed[001e:001f]
<142>Jan 26 13:53:43 haproxy[4147653]: 10.0.139.144:37720 [26/Jan/2026:13:53:40.642] http-frontend luke/luke 0/0/-1/-1/3028 503 217 - - SC-- 1/1/0/0/3 0/0 "GET / HTTP/1.1" 0/-/-/-/0 -/-/-

And in the backend haproxy I have:

[07|ssl|0|l_sock.c:5621] Other error
fd[0x1e] OpenSSL error[0xa000418] ssl3_read_bytes: tlsv1 alert unknown ca
[07|ssl|0|l_sock.c:5695] handshake error
<142>Jan 26 13:53:40 haproxy[4147668]: 10.0.139.144:55692 [26/Jan/2026:13:53:40.643] https/1: SSL handshake failure (error:0A000418:SSL routines::tlsv1 alert unknown ca)
[00|ssl|0|l_sock.c:5695] handshake error
<142>Jan 26 13:53:41 haproxy[4147668]: 10.0.139.144:55694 [26/Jan/2026:13:53:41.649] https/1: SSL handshake failure
[01|ssl|0|l_sock.c:5621] Other error
fd[0x1e] OpenSSL error[0xa000418] ssl3_read_bytes: tlsv1 alert unknown ca
[01|ssl|0|l_sock.c:5695] handshake error
<142>Jan 26 13:53:42 haproxy[4147668]: 10.0.139.144:55698 [26/Jan/2026:13:53:42.661] https/1: SSL handshake failure (error:0A000418:SSL routines::tlsv1 alert unknown ca)
[02|ssl|0|l_sock.c:5695] handshake error
<142>Jan 26 13:53:43 haproxy[4147668]: 10.0.139.144:33832 [26/Jan/2026:13:53:43.668] https/1: SSL handshake failure

My haproxy is:

HAProxy version 3.2.10-35a71a0 2025/12/18 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2030.
Known bugs: http://www.haproxy.org/bugs/bugs-3.2.10.html
Running on: Linux 6.1.0-42-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.159-1 (2025-12-30) x86_64
Build options :
TARGET  = linux-glibc
CC      = cc
CFLAGS  = -O2 -m64 -fwrapv -fvect-cost-model=very-cheap
OPTIONS = USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_DL=1 USE_QUIC=1 USE_PROMEX=1 USE_PCRE=1
DEBUG   =

Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE -LIBATOMIC +LIBCRYPT +LINUX_CAP +LINUX_SPLICE +LINUX_TPROXY +LUA +MATH -MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_AWSLC -OPENSSL_WOLFSSL -OT +PCRE -PCRE2 -PCRE2_JIT -PCRE_JIT +POLL +PRCTL -PROCCTL +PROMEX -PTHREAD_EMULATION +QUIC -QUIC_OPENSSL_COMPAT +RT -SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL +ZLIB +ACME

Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_TGROUPS=32, MAX_THREADS=1024, default=8).
Built with SSL library version : OpenSSL 3.5.4 30 Sep 2025
Running on SSL library version : OpenSSL 3.5.4 30 Sep 2025
SSL library supports TLS extensions : yes
SSL library supports SNI : yes
SSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
OpenSSL providers loaded : default
QUIC: connection socket-owner mode support : yes
QUIC: GSO emission support : yes
Built with Lua version : Lua 5.4.8
Built with the Prometheus exporter as a service
Built with network namespace support.
Built with zlib version : 1.3.1
Running on zlib version : 1.3.1
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE version : 8.45 2021-06-15
Running on PCRE version : 8.45 2021-06-15
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Built with gcc compiler version 12.2.0

Available polling systems :
epoll : pref=300,  test result OK
poll : pref=200,  test result OK
select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as  cannot be specified using ‘proto’ keyword)
quic : mode=HTTP  side=FE     mux=QUIC  flags=HTX|NO_UPG|FRAMED
h2 : mode=HTTP  side=FE|BE  mux=H2    flags=HTX|HOL_RISK|NO_UPG
 : mode=HTTP  side=FE|BE  mux=H1    flags=HTX
h1 : mode=HTTP  side=FE|BE  mux=H1    flags=HTX|NO_UPG
fcgi : mode=HTTP  side=BE     mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
 : mode=SPOP  side=BE     mux=SPOP  flags=HOL_RISK|NO_UPG
spop : mode=SPOP  side=BE     mux=SPOP  flags=HOL_RISK|NO_UPG
 : mode=TCP   side=FE|BE  mux=PASS  flags=
none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG

Available services : prometheus-exporter
Available filters :
[BWLIM] bwlim-in
[BWLIM] bwlim-out
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace

I’ve started those with options:

-d -V -dt -dD

In order to produce those logs.

Is it a haproxy problem? Did I made an obvious mistake?

My use case is to interconnect my various haproxy with certiifcate from our own CA.

Note: I used certificate from letsencrypt in the backend haproxy, and I used @system-ca for verification in the frontend haproxy, but I got same result.

Regards,

Łukasz

2 posts - 2 participants

Read full topic