Hi Lukas, I did a strace on WORKING platform and noticed HAProxy v1.5.dev21 ignores "ca-file /opt/etc/ca.d/" in the backend server line if "verify required" is not enabled. I think that is the reason why there is no error during startup. When I enabled "verify required ca-file /opt/etc/ca.d/" in the backend server line, it throws the same error as in HAProxy v1.5.0 platform:
[ALERT] 179/122107 (31559) : Proxy 'SFARM-SSL-PROXY', server 'REMOTE' |haproxy.cfg:34] unable to load CA file '/opt/etc/ca.d/'. In HAProxy v1.5.0 platform, it throws above error regardless "verify required" is enabled or not. Thanks for the advice. I will enable "verify required ca-file ..." in both platforms and load ca-file from a file instead of a directory. Regards, Diana From: Lukas Tribus <[email protected]<mailto:[email protected]>> Date: Sunday, June 29, 2014 3:06 AM To: Microsoft Office User <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: RE: backend server ca-file load from directory not working Hi, Below is the snapshot of strace output, 1st block showing error if loading ca-file from directory and 2nd block showing no error if loading ca-file from a file: I think ca-file doesn't support directories, only the crt option supports directories. If you need to specify a CA (to authenticate SSL clients) you need to point directly to the file. If on the other hand you just need the CA file to send towards the client as an intermediate certificate, so that the client can authenticate the final certificate, just point to the directory with the crt keyword. Also read: ca-file doc: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#ca-file%20%28Bind%20options%29 crt doc: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt Since you didn't configure any verify keywords on the bind line, I suspect you don't want to do any client SSL authentication at all and replacing "ca-file" with "crt" on the bind line will achieve what you need. Regards, Lukas
