This specific Backend in my test lab is an IIS machine, but in production I have OpenBSD/HAProxy in front of IIS, Apache, Tomcat, etc. I'm not doing anything fancy either... although the certificate in the lab is signed by an internal CA.
Here's the relevant output from openssl s_client: The cert verifies perfectly fine. openssl s_client -connect 192.168.42.61:443 --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: C01300008246D3973B3106A378C0DB503D4BCDE02C6461AB073949027C90CDCF Session-ID-ctx: Master-Key: AACBE3A3E34406F9371B4E85D4DC82C177C641C94806562053C000FE0E019D2E1456702F69DECFB6D11C4B4A12A0D555 Start Time: 1593970747 Timeout : 7200 (sec) Verify return code: 0 (ok) --- and Netcat: nc -zv 192.168.42.61 443 Connection to 192.168.42.61 443 port [tcp/https] succeeded! On Fri, Jul 3, 2020 at 9:40 PM Daniel Jakots <d...@chown.me> wrote: > > On Fri, 3 Jul 2020 19:14:17 -0400, Henry Bonath <he...@thebonaths.com> > wrote: > > > Daniel, > > > > Thanks for taking the time to test this out. > > I just reloaded a test machine from scratch with -current and > > installed the HAProxy 2.0.15-4f39279 package. > > I loaded a very basic config file, and am also seeing the same exact > > issue on this one as well. > > Very strange that you are not - > > Would you mind sharing any additional details of your config file? > > Is there anything special about the certificate you have on the > > backend server? > > > > I would love to understand what is going on here and what the > > difference is with my experience. > > What is your backend running? Can you connect from the haproxy host with > nc(1) and/or openssl(1)? > > I try to do my stuff as vanilla as possible so it's an RSA key signed > by LE.