relayd unable to get local issuer certificate

Tue, 07 Dec 2021 22:47:00 -0800 

Hello,
I decided to try using relayd as a TLS accelerator and have run into an issue - as usual, I'm sure I'm missing something obvious. 


I generated a TLS cert with acme-client and  tested and confirmed it 
worked with httpd. I then configured relayd to perform TLS acceleration 
by following examples in the man pages. Everything works great when 
tested from a web browser. However, when I try to fetch a file via curl, 
wget or ftp etc, I get a cert validation error: (ip and domain removed 
for privacy)


...
$ curl -iv https://www.example.com:8088/test.txt
*   Trying 192.0.1.189:8088...
* Connected to www.example.com (192.0.1.189) port 8088 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
...

My relayd config looks like this:
...
http protocol https {
        match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
        match request header append "X-Forwarded-By" \
            value "$SERVER_ADDR:$SERVER_PORT"
        match request header set "Connection" value "close"

        # Various TCP options
        tcp { sack, backlog 128 }

        tls { no tlsv1.0, ciphers HIGH, keypair example.com }
#       tls no session tickets
}

relay test {
        # Run as a SSL/TLS accelerator
        listen on $ext_addr port 8088 tls
        protocol https

        # Forward to hosts in the webhosts table using a src/dst hash
        forward to <test> port 80 mode loadbalance \
                check icmp
}
...


I'm not sure what the issue is here, this is my first foray into relayd 
TLS acceleration, so I was hoping to get a quick sanity check here to 
make sure I'm not missing something obvious. I've certainly put some 
legwork into figuring this out, I spent all day futzing with this to no 
avail. Everything here is bog standard, so I'm curious what I'm doing wrong.


As usual, any insight or advice would be greatly appreciated.

Regards,

Jordan
























					Reply via email to