Haproxy appears do be issuing the wrong certificate

Question

I am trying to secure a domain with haproxy. When I load the URL: bitbucket.kl.company.com, I get the error:

bitbucket.kl.company.com uses an invalid security certificate.

This certificate is only valid for the following names:
*.company.com, company.com, bitbucket-mirror.company.com

Error Code: SSL_ERROR_BAD_CERT_DOMAIN

Now if I go onto the server and do the following:

 openssl x509 -text -noout -in /etc/haproxy/certs/cert.pem | grep DNS
                DNS:*.company.com, DNS:company.com, DNS:bitbucket.kl.company.com

I contacted Digicert who issue the certificates, and they said the server was issuing the wrong certificate.

In my haproxy.cfg I have:

frontend bitbucket_http_frontend
    bind *:80
    bind *:443 ssl crt /etc/haproxy/certs/cert.pem ciphers HIGH:!aNULL:!MD5
    redirect scheme https code 301 if !{ ssl_fc }
    default_backend bitbucket_http_backend

This appears to be what is happening...

haproxy is issuing other certificates from within /etc/haproxy/certs

I didn't expect or ask it to do that, but that is the only conclusion that makes sense, unless there is a default location that it looks in first.

Answer 1

This was due to a stale haproxy process which had been started without 'systemctl', and had been running for 3 months. It was issuing certificates for a long since deleted pem file.

I thought there would have been a port clash or something but there was not. haproxy did not complain.