HAproxy 1.5 Trusted CAs

I recently hit this issue in 1.5.6 where I was receiving the error message

verify is enabled by default but no CA file specified. If you're running on a LAN where you're certain to trust the server's certificate, please set an explicit 'verify none' statement on the 'server' line, or use 'ssl-server-verify none' in the global section to disable server-side verifications by default.

This was related to not specifying a ca-file, which you cannot specify at the default-server level (according to the docs). I likewise did not want to think about service disruption should the backend endpoint have their cert re-issued by another CA.

I solved by pointing to the combined CA certificates file that your linux distro packages and neatly maintains for you. On debian, this file is /etc/ssl/certs/ca-certificates.crt, it's probably the same for you. (On RHEL7, check /etc/ssl/certs/ca-bundle.crt)

global
    ca-base /etc/ssl/cert # debian
frontend f1
    use_backend b1
backend b1
    server s1 something.com:443 ssl verify required ca-file ca-certificates.crt

HAproxy 1.5 Trusted CAs

Tags:

Ssl

Haproxy

Related

Recent Posts