maybe the server refuses sslv3... Can you disable sslv3 on the server side?
Baptiste On Thu, Apr 23, 2015 at 3:38 PM, <[email protected]> wrote: > I've checked again, but the time on those servers is correct.. > > On 2015-04-23 14:16, Daniel Schneller wrote: >> >> Have you checked the time/date on the Haproxy host? >> If they are wrong, the certificate might look bad from HAProxy's >> point of view. >> >> Daniel >> >> -- >> Daniel Schneller >> Infrastructure Architect / Developer >> CenterDevice GmbH >> >>> On 23.04.2015, at 10:00, [email protected] wrote: >>> >>> Hi! >>> >>> I'm having trouble with one of our HAProxy-Servers that uses a >>> backend with TLS. When starting HAProxy the backend will report all >>> servers as down: >>> >>>> Server web_remote/apache_rem_1 is DOWN, reason: Layer6 invalid >>>> response, info: "SSL handshake failure", check duration: 41ms. 1 >>>> active and 0 backup servers left. 0 sessions active, 0 requeued, 0 >>>> remaining in queue. >>> >>> >>> My backend configuration is as follows: >>> >>> backend web_remote >>> balance leastconn >>> option httpchk HEAD / >>> option redispatch >>> retries 3 >>> >>> default-server inter 5000 rise 2 fall 5 maxconn 10000 maxqueue >>> 50000 >>> >>> server apache_rem_1 1.2.3.4:12345 check maxconn 1000 maxqueue 5000 >>> ssl ca-file /etc/ssl/web.pem >>> server apache_rem_2 2001:1:2:3:4:5:6:8:12345 check maxconn 1000 >>> maxqueue 5000 ssl ca-file /etc/ssl/web.pem >>> >>> This backend worked just fine until now, a quick wget on the server >>> also worked and openssl s_client reports the certificate of the >>> backend to be valid. >>> >>> I couldn't find anything on the list except that the error would be >>> due to SSL_ABORT, but I'm not sure what this is supposed to tell >>> me... >>> >>> Is there anything else for HAProxy/TLS that could be configured >>> wrong? How could I debug this issue when everything else reports the >>> handshake was successful? > > >
