Re: HAProxy with multiple certificates, one of which being wild card, and the other being sub of that wildcard

Mon, 23 Mar 2015 15:34:57 -0700 

Thank you for support, we have fixed our issues. 
Ha. 
----- Original Message -----

From: "Peter BUtler" <[email protected]> 
To: [email protected] 
Sent: Sunday, March 22, 2015 1:15:07 AM 
Subject: Re: HAProxy with multiple certificates, one of which being wild card, 
and the other being sub of that wildcard 




forgot to CC the mailing list. 





thanks Cryil. 


> Date: Fri, 20 Mar 2015 00:47:53 +0100 
> From: [email protected] 
> To: [email protected]; [email protected] 
> Subject: Re: HAProxy with multiple certificates, one of which being wild 
> card, and the other being sub of that wildcard 
> 
> Hi Peter, 
> 
> Le 20/03/2015 00:32, Peter Butler a écrit : 
> > I logged this on stackoverflow 
> > (http://stackoverflow.com/questions/29133477/haproxy-with-multiple-certificates-one-of-which-being-wild-card-and-the-other),
> >  
> > but HAProxy usage there is pretty low. 
> > 
> > THis is my first mailing list email in years, please let me know if I 
> > have broken any rules. 
> > 
> > 
> > I have HAProxy working pretty well, I have port 80 and 443 open, TCP 
> > over 443 over a internal proxy. HTTPS end to end. I am serving 
> > certificates: *.mycompany.com.au www.secure.mycompany.com.au 
> > SNI does not seem to be working, as when I go to 
> > secure.mycompany.com.au, I keep getting the www.secure.mycompany.com.au 
> > certificate (and weirdly *most* browsers do not throw a error). But when 
> > I go to mail.mycompany.com.au I get the *.mycompany.com.au certificate 
> > correctly. 
> 
> Indeed, keep in mind that a wildcard certificate works only for 
> subdomains, not sub-subdomains. 

this is fine, and as mentioned its working great for my other wild card certs, 
but the difference is they do not have a specific.sub- 
which-is-the-same-as-a-wildcard .mycompany.com.au 

(am I believe the blod part is my issue here. 


> 
> So www.secure.mycompany.com.au won't match the "*.mycompany.com.au" 
> wildcard certificate. As no certificate matches the hostname, the first 
> one loaded is applied. I guess that in your SSL directory, the 
> certificate file for "secure.mycompany.com.au" is listed first. 


I have tried this change already, by renaming them alphabetically. Didn't make 
any difference. 


> 
> You can read the RFC 2818, chapter "3.1. Server Identity" for more details : 
> http://tools.ietf.org/html/rfc2818#section-3.1 
> 

I think my issue is here, from your link: 
E.g., *.a.com matches foo.a.com but not bar.foo.a.com 

In my case I have a cert for both: 
*.a.com.au 
and 
bar.foo.a.com.au 




> 
> > If I remove the www.secure.mycompany.com.au cert from the SSL directory, 
> > and I browse to secure.mycompany.com.au I get the correct certificate, 
> > but of course when I go to www.secure.mycompany.com.au, I get a error on 
> > the browser, as it tries to give me *.mycompany.com.au certificate. 
> 
> It tends to confirm this : the wildcard still doesn't match, and the 
> first certificate is applied (which in this case is by chance the 
> wildcard). I you insert a fake certificate before the wildcard, I'm sure 
> it will be this one that will match. 
> 
> > Can anyone see what I am doing wrong please. 
> > 
> > |By the way, I also have a *.abc.def.mycompany.com.au and 
> > *.def.mycompany.com.au in this same config (removed from below, but in same 
> > syntax). and they are working perfect.| 
> > 
> > || 
> > 
> > |haproxy -version 
> > HA-Proxy version 1.5.8 2014/10/31 
> > Copyright 2000-2014 Willy Tarreau <[email protected]> 
> > 
> > 
> > 
> > 
> > ##################################################################################|
> >  
> > 
> > |##################################################################################|
> >  
> > 
> > |##################################################################################
> >  
> > global 
> > daemon 
> > user haproxy 
> > group haproxy 
> > log /dev/log local0 info 
> > log /dev/log local0 notice 
> > ulimit-n 20000 
> > pidfile /var/run/haproxy.pid 
> > tune.ssl.default-dh-param 2048 
> > 
> > ##################################################################################
> >  
> > 
> > ## Port80 is open only to forward all requests to port 443. 
> > frontend unsecure 123.123.123.155:80 #Prod 
> > bind 192.168.14.155:80 #Prod 
> > mode http 
> > redirect scheme https code 301 if !{ ssl_fc } 
> > 
> > ##################################################################################
> >  
> > 
> > ##Listen on 443, and forward to internal proxy on 88. Needed for SSL end to 
> > end. 
> > listen ssl-proxy 
> > ##Only accept mycompany host headers 
> > http-request deny if !{ hdr_end(Host) -i mycompany.com.au } !{ 
> > hdr_end(Host) -i www.secure.mycompany.com.au } 
> > 
> > # Get Certificates from SSL directory. 
> > bind 123.123.123.155:443 ssl crt /etc/haproxy/ssl npn http/1.1 ciphers 
> > ECDHE-RSA-AES256-SHA:RC4-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM no-sslv3 
> > bind 192.168.14.155:443 ssl crt /etc/haproxy/ssl npn http/1.1 ciphers 
> > ECDHE-RSA-AES256-SHA:RC4-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM no-sslv3 
> > 
> > mode tcp 
> > server http 127.0.0.1:88 send-proxy 
> > 
> > ##################################################################################
> >  
> > 
> > frontend internal_proxy 
> > mode http 
> > bind 127.0.0.1:88 accept-proxy name accept-sslproxy 
> > bind-process 1 
> > 
> > acl is_secure_mycompany_com_au hdr_end(host) -i www.secure.mycompany.com.au 
> > acl is_secure_mycompany_com_au hdr_end(host) -i secure.mycompany.com.au 
> > use_backend https_secure_mycompany_com_au if is_secure_mycompany_com_au 
> > 
> > acl is_mail_mycompany_com_au hdr_end(host) -i mail.mycompany.com.au 
> > use_backend https_mail_mycompany_com_au if is_mail_mycompany_com_au 
> > 
> > default_backend nomatch 
> > 
> > ##################################################################################
> >  
> > backend https_secure_mycompany_com_au 
> > mode http 
> > option tcp-check 
> > server web-01 192.168.14.50:443 check ssl verify none 
> > 
> > backend https_mail_mycompany_com_au 
> > mode http 
> > option tcp-check 
> > server web-02 192.168.14.51:443 check ssl verify none 
> > 
> > backend nomatch 
> > mode http 
> > errorfile 503 /etc/haproxy/errors/503.http| 
> > 
> > || 
> > 
> > |##################################################################################|
> >  
> > 
> > |##################################################################################|
> >  
> > 
> > |##################################################################################|
> >  
> > 
> > || 
> > 
> > | 
> > 
> > 
> > By the way, on the backend I just redirect all 
> > www.secure.mycompany.com.au to secure.mycompany.com.au (it was a old 
> > marketing mistake). But I still need it there for now for history 
> > 
> > 
> > | 
> > 
> 
> 
> -- 
> Cyril Bonté 
>

Reply via email to