1

I am trying to secure a domain with haproxy. When I load the URL: bitbucket.kl.company.com, I get the error:

bitbucket.kl.company.com uses an invalid security certificate.

This certificate is only valid for the following names:
*.company.com, company.com, bitbucket-mirror.company.com

Error Code: SSL_ERROR_BAD_CERT_DOMAIN

Now if I go onto the server and do the following:

 openssl x509 -text -noout -in /etc/haproxy/certs/cert.pem | grep DNS
                DNS:*.company.com, DNS:company.com, DNS:bitbucket.kl.company.com

I contacted Digicert who issue the certificates, and they said the server was issuing the wrong certificate.

In my haproxy.cfg I have:

frontend bitbucket_http_frontend
    bind *:80
    bind *:443 ssl crt /etc/haproxy/certs/cert.pem ciphers HIGH:!aNULL:!MD5
    redirect scheme https code 301 if !{ ssl_fc }
    default_backend bitbucket_http_backend

This appears to be what is happening...

haproxy is issuing other certificates from within /etc/haproxy/certs

I didn't expect or ask it to do that, but that is the only conclusion that makes sense, unless there is a default location that it looks in first.

eeijlar
  • 323
  • 3
  • 7
  • You could also have made an error when you built cert.pem. `openssl x509` only reads the *first* cert in the file. Carve that file into individual certificates and examine each one individually. – Michael - sqlbot Sep 12 '17 at 02:31
  • This was helpful thank you, it wasnt the reason why it didn't work nut led me in the right direction – eeijlar Sep 12 '17 at 04:44

1 Answers1

2

This was due to a stale haproxy process which had been started without 'systemctl', and had been running for 3 months. It was issuing certificates for a long since deleted pem file.

I thought there would have been a port clash or something but there was not. haproxy did not complain.

eeijlar
  • 323
  • 3
  • 7
  • When I found this answer, I realized there were many ways to confirm this. The `STARTTIME` column in `htop` for the main process is the same before the reload and after it. But at that point it's enough to just move all of the certificates to a different folder and see them still being issued after reload. – Paolo42 Dec 22 '20 at 21:59