Re: backend server ca-file load from directory not working

Sat, 28 Jun 2014 23:25:56 -0700 

Hi Lukas,

/opt/etc/ca.d directory is under local file system in both platforms and with 
the same permission.

Below is the snapshot of strace output, 1st block showing error if loading 
ca-file from directory and 2nd block showing no error if loading ca-file from a 
file:

open("/opt/etc/ca.d/", O_RDONLY)        = 3
fstat(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x2aad6e255000
read(3, 0x2aad6e255000, 4096)           = -1 EISDIR (Is a directory)
close(3)                                = 0
munmap(0x2aad6e255000, 4096)            = 0
write(2, "[ALERT] 179/020423 (2993) : ", 28[ALERT] 179/020423 (2993) : ) = 28
write(2, "Proxy 'SFARM-SSL-PROXY', server 'RE"..., 104Proxy 'SFARM-SSL-PROXY', 
server 'REMOTE' [../conf/haproxy.cfg:34] unable to load CA file 
'/opt/etc/ca.d/'.
) = 104
open("/opt/etc/ca.d/ca.crt", O_RDONLY)  = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=1220, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x2aad6e255000
read(3, "-----BEGIN CERTIFICATE-----\r\nMII"..., 4096) = 1220
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x2aad6e255000, 4096)            = 0


I will rebuild HAProxy to 1.5.1 and see if it helps.

Thanks
Diana

From: Lukas Tribus <[email protected]<mailto:[email protected]>>
Date: Saturday, June 28, 2014 3:52 AM
To: Microsoft Office User <[email protected]<mailto:[email protected]>>
Cc: "[email protected]<mailto:[email protected]>" 
<[email protected]<mailto:[email protected]>>
Subject: Re: backend server ca-file load from directory not working

Hi Diana,



The ca-file loading from directory failed in 2.6.18 system with this
message during startup:

unable to load CA file '/opt/etc/ca.d/'.

It seems to me the HAProxy in this system doesn't support directory
loading ca-file?

However, in 2.6.32 system the HAProxy started up successfully.

Here a few suggestions:
- double check filesystems permission
- check if both filesystems are local or if they are remote (e.g. NFS)
- upgrade both haproxy instances to latests stable 1.5.1 (dev21 is unstable)


If that doesn't help, than please run haproxy through strace (for example):
 $ strace haproxy -f /etc/haproxy.cfg

And post the outputs when it fails.



Does directory load for ca-file only work if HAProxy is built with
TARGET=linux2628 ?

No, that doesn't matter, the TARGET directive enables or disable certain
kernel assisted features, but none if it matters for SSL or filesystem
access.



Regards,

Lukas

Reply via email to