HAproxy 1.5 Trusted CAs
I'm trying to get HAproxy 1.5.x to trust any certificate authority already in the trust store of the machine (/etc/ssl/certs
) without having to explicitly specify the individual ca-file
root authority certificate to be trusted. I want to avoid the scenario of a given backend server using a certificate issued by a different authority and causing an outage because that backend server is no longer trusted--despite the CA being in the machine trust store.
Within a given backend
section of the haproxy.cfg
file, the server
line has an option called ca-file
. This option instructs HAproxy to verify the authority of the backend's server certificate using the authority provided. The trouble is that this points to a single CA.
I found the ca-base
option. Unless I'm mistaken, this is only a shortcut to avoid having to specify the full path of the ca-file
at each declaration.
Solution 1:
I recently hit this issue in 1.5.6 where I was receiving the error message
verify is enabled by default but no CA file specified. If you're running on a LAN where you're certain to trust the server's certificate, please set an explicit 'verify none' statement on the 'server' line, or use 'ssl-server-verify none' in the global section to disable server-side verifications by default.
This was related to not specifying a ca-file, which you cannot specify at the default-server level (according to the docs). I likewise did not want to think about service disruption should the backend endpoint have their cert re-issued by another CA.
I solved by pointing to the combined CA certificates file that your linux distro packages and neatly maintains for you. On debian, this file is /etc/ssl/certs/ca-certificates.crt
, it's probably the same for you. (On RHEL7, check /etc/ssl/certs/ca-bundle.crt
)
global
ca-base /etc/ssl/cert # debian
frontend f1
use_backend b1
backend b1
server s1 something.com:443 ssl verify required ca-file ca-certificates.crt