Ciao Marco, thanks for your help. We've found the problem, we do need also the CRL from ROOT CA on top of the file passed to crl-file parameter, thant contein already the intermediate crl. But now we have another challenges, but we're going to loose this time as already discussed in [1] and [2]. We proxy MQTT connections, and wa can't afford a restart of haproxy every day to force haproxy to take the updated CRL... Any help? Regards,Domenico [1] https://discourse.haproxy.org/t/crl-reload-and-long-life-tcp-connections/2645/2[2 ] https://discourse.haproxy.org/t/ssl-termination-fails-when-crl-is-published/2336
Il giorno sab, 18/04/2020 alle 10.40 +0200, Marco Corte ha scritto: > Hi! > Il 17/04/20 18:43, Davide Guarneri ha scritto: > > crt /etc/haproxy/ssl/cert.pem ca-file /etc/haproxy/ssl/ca- > > chain.cert.pem verify required crl-file > > /etc/haproxy/ssl/intermediate.crl.pem > > I would verify how the certificates and the keys are placed in the > files. > /etc/haproxy/ssl/cert.pem must contain "both the required > certificates and any associated private keys. [...] If your CA > requires an intermediate certificate, this can also be concatenated > into this file." (from HAProxy documentation) > The client certificate is checked against the signature of the CAs > defined in /etc/haproxy/ssl/ca-chain.cert.pem > Moreover it is checked if the client certificate is listed in the > certificate revocation list in /etc/haproxy/ssl/intermediate.crl.pem > Hope this helpsCiao! > .marcoc