Have you checked the time/date on the Haproxy host? If they are wrong, the certificate might look bad from HAProxy’s point of view.
Daniel -- Daniel Schneller Infrastructure Architect / Developer CenterDevice GmbH > On 23.04.2015, at 10:00, [email protected] wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hi! > > I'm having trouble with one of our HAProxy-Servers that uses a backend with > TLS. When starting HAProxy the backend will report all servers as down: > >> Server web_remote/apache_rem_1 is DOWN, reason: Layer6 invalid response, >> info: "SSL handshake failure", check duration: 41ms. 1 active and 0 backup >> servers left. 0 sessions active, 0 requeued, 0 remaining in queue. > > > My backend configuration is as follows: > > backend web_remote > balance leastconn > option httpchk HEAD / > option redispatch > retries 3 > > default-server inter 5000 rise 2 fall 5 maxconn 10000 maxqueue 50000 > > server apache_rem_1 1.2.3.4:12345 check maxconn 1000 maxqueue > 5000 ssl ca-file /etc/ssl/web.pem > server apache_rem_2 2001:1:2:3:4:5:6:8:12345 check maxconn 1000 maxqueue > 5000 ssl ca-file /etc/ssl/web.pem > > > This backend worked just fine until now, a quick wget on the server also > worked and openssl s_client reports the certificate of the backend to be > valid. > > I couldn't find anything on the list except that the error would be due to > SSL_ABORT, but I'm not sure what this is supposed to tell me... > > Is there anything else for HAProxy/TLS that could be configured wrong? How > could I debug this issue when everything else reports the handshake was > successful? > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQIcBAEBCAAGBQJVOKYDAAoJEJGDW18KFrBD7p4P/05tlwkxRUJwVoI3Tl1Q3+xI > upIcN9MfTHPpA6ilVkT2S43HxyZ7RYgYGRs6LEcipLJOhGSxIHcPgGZKwsMJK8NO > cldP20A0SoRvkUsro1UWOj/iqAsxg+j6IYNxuBJUb5i2yG6KFlp/PupJJI1QDUov > NzyfjqIh9iSgRA6j3jJSYUDLg5KM3Frl8O0GQysztxF8fihambx8vYjlEkIyrrtc > obmRN3hyIHnJC3oTfhEtpyg8ihV8B6XCNCEHXLonEa8QQ4lIluKhDmh+LsydZ/og > oEFQeBNp8VfRVIx8iT1ixNFAtw85ZcB0X5GpUMxHZ5l4IscD2THCfqge+nbOIoCw > 9gHitbrKEe323DXIAiv/xWiJZNw3DwDyPDIXFLypBH2F6ZRSosBMyFwkj5omj3ey > FKAL6DLXDylMgbrihSKA381GktPa5Vr/QmlMjr924VVDbQBmgFBiF7MKeSFHoAjT > AJvWXplp8jIb7c1wo5vOVEa3MqLEW6Me+r2RvbAiDbQbXmVbRGmVgXo0WeZ2xgMq > yhFAoW4JvgrrAqNdocXxc2DoP7BU51zu4b9qq4aPECUzyODpLYtU/PCDNBuvBcWI > erGvwQt6iJP5C8NDHz/Q2mEdBgAq5K+qoSDn5CK+pmWDdR26AVRU8bH8Np4JP2ec > c+qlPjicDRLalAn3jmQa > =9FK7 > -----END PGP SIGNATURE----- > >
