Hello Martin,
> we have a strange situation with our HAProxy, running on Version 1.8.8 with > OpenSSL. Please share the output of haproxy -vv. Did you build openssl yourself or is this a distribution provided openssl lib? I am asking because build issues can lead to very strange behavior. > server BACKEND1-server 10.1.1.1:443 check inter 30s verify required ssl > verifyhost *.foo.bar *.foo.bar is not a valid hostname. It is a valid wildcard representation in a cert's SAN, yes, but not a hostname. Use real hostname for verifyhost instead, like www.foo.bar Also, lets confirm the backend is really configured as per expectations, by running requests via curl from the haproxy box: This should work: curl -v --cacert /etc/haproxy/certs/backend-ca-certificates.crt --resolve www.foo.bar:443:10.1.1.1 https://www.foo.bar/ This should fail: curl -v --cacert /etc/haproxy/certs/backend-ca-certificates.crt --resolve www.foo.fail:443:10.1.1.1 https://www.foo.fail/ cheers, lukas
