HAproxy 1.5 Trusted CAs
I recently hit this issue in 1.5.6 where I was receiving the error message
verify is enabled by default but no CA file specified. If you're running on a LAN where you're certain to trust the server's certificate, please set an explicit 'verify none' statement on the 'server' line, or use 'ssl-server-verify none' in the global section to disable server-side verifications by default.
This was related to not specifying a ca-file, which you cannot specify at the default-server level (according to the docs). I likewise did not want to think about service disruption should the backend endpoint have their cert re-issued by another CA.
I solved by pointing to the combined CA certificates file that your linux distro packages and neatly maintains for you. On debian, this file is
/etc/ssl/certs/ca-certificates.crt, it's probably the same for you. (On RHEL7, check
global ca-base /etc/ssl/cert # debian frontend f1 use_backend b1 backend b1 server s1 something.com:443 ssl verify required ca-file ca-certificates.crt