On Fri, Jul 08, 2022 at 09:11:02AM -0600, Shawn Heisey wrote: > > The openssl that haproxy is compiled against is in /opt/quictls/ssl ... > but there is a distribution-provided openssl package in /usr/lib/ssl as > well. Both locations contain "certs". >
But is there any certificates in the /opt/quictls/ssl/certs/ directory ? > Setting either environment variable that you have mentioned does not > eliminate the warning. It should already be set to /opt/quictls/ssl/certs/, if you specified the openssldir at /opt/quictls/ssl/ during the build of your library. > root@bilbo:~# SSL_CERT_DIR=/opt/quictls/ssl/certs haproxy -c -f > /etc/haproxy/haproxy.cfg > [NOTICE] (2379692) : haproxy version is 2.6.1 > [NOTICE] (2379692) : path to executable is /usr/local/sbin/haproxy > [WARNING] (2379692) : config : ca-file: 0 CA were loaded from '@system-ca' > Warnings were found. > Configuration file is valid > root@bilbo:~# OPENSSLDIR=/opt/quictls/ssl haproxy -c -f > /etc/haproxy/haproxy.cfg > [NOTICE] (2379701) : haproxy version is 2.6.1 > [NOTICE] (2379701) : path to executable is /usr/local/sbin/haproxy > [WARNING] (2379701) : config : ca-file: 0 CA were loaded from '@system-ca' > Warnings were found. > Configuration file is valid > > My setup has no need to verify certificates, so the warning doesn't > actually matter for me. But it could be a problem for someone else. > In fact there is a warning because you might want to use the httpclient at runtime, and the httpclient is using the CAs, so they are loaded at startup. I supposed you don't have anything in this directory, or it failed to load for some reason and this could be a bug we need to fix. The message should have been about the httpclient, I'll look into this to clarify it. > I did figure out the correct way to run the "version -d" command you > mentioned on the quictls install: > > elyograg@smeagol:~$ LD_LIBRARY_PATH=/opt/quictls/lib64 > /opt/quictls/bin/openssl version -d > OPENSSLDIR: "/opt/quictls/ssl" You had to use LD_LIBRARY_PATH because you didn't use the rpath when compiling, this is necessary if you don't install the library in /usr/lib/. You only need to add -Wl,-rpath=/opt/quictls/lib64 to your ./config line. https://wiki.openssl.org/index.php/Compilation_and_Installation#Using_RPATHs > My install does quic/http3 correctly, so I know it is finding and using > quictls. > Ok, you can always check with ldd if you have some doubts. -- William Lallemand