On 7/8/22 03:30, William Lallemand wrote:
HAProxy uses the ca-certificates provided by OpenSSL.
The SSL_CERT_DIR by default is set to the "certs" directory inside your
openssldir. You can check your openssldir by using the "openssl" binary
you compiled with your library (not the one of your distribution).
$ openssl version -d
OPENSSLDIR: "/usr/lib/ssl"
So you might want to set the SSL_CERT_DIR environment variable before
starting HAProxy or doing a symlink from your openssldir to the real
path of your ca-certificates ( /etc/ssl/certs ? )
This warning is emitted when trying to load the ca-certificates into the
httpclient at startup with an empty directory. (Which is not supposed to
happen on the openssl build of your distribution)
The openssl that haproxy is compiled against is in /opt/quictls/ssl ...
but there is a distribution-provided openssl package in /usr/lib/ssl as
well. Both locations contain "certs".
Setting either environment variable that you have mentioned does not
eliminate the warning.
root@bilbo:~# SSL_CERT_DIR=/opt/quictls/ssl/certs haproxy -c -f
/etc/haproxy/haproxy.cfg
[NOTICE] (2379692) : haproxy version is 2.6.1
[NOTICE] (2379692) : path to executable is /usr/local/sbin/haproxy
[WARNING] (2379692) : config : ca-file: 0 CA were loaded from '@system-ca'
Warnings were found.
Configuration file is valid
root@bilbo:~# OPENSSLDIR=/opt/quictls/ssl haproxy -c -f
/etc/haproxy/haproxy.cfg
[NOTICE] (2379701) : haproxy version is 2.6.1
[NOTICE] (2379701) : path to executable is /usr/local/sbin/haproxy
[WARNING] (2379701) : config : ca-file: 0 CA were loaded from '@system-ca'
Warnings were found.
Configuration file is valid
My setup has no need to verify certificates, so the warning doesn't
actually matter for me. But it could be a problem for someone else.
I did figure out the correct way to run the "version -d" command you
mentioned on the quictls install:
elyograg@smeagol:~$ LD_LIBRARY_PATH=/opt/quictls/lib64
/opt/quictls/bin/openssl version -d
OPENSSLDIR: "/opt/quictls/ssl"
My install does quic/http3 correctly, so I know it is finding and using
quictls.
Thanks,
Shawn
