Dear community, I'm striving to prototype an example of HAProxy working with (HashiCorp) Vault acting as PKI and CA generating end-user certificate as well as providing CRL + OCSP (repo below)
To explain briefly - using openssl I'm generating root CA and intermediate certificates on an initial HAProxy host - I then use the intermediate certificate on a 2nd host to enable Vault and then generate subsequent end-user certificates using its features. The issue I am facing is a breakage to my working end-to-end (user) tests via curl - when scraping the CRL file from Vault and setting it in haproxy.conf with `bind .... crl mycrl.pem` - there are no complaints from and the config is valid (as too the CRL) - however I am no longer able to get any valid responses: ``` # after: wget http://__VAULT___:8200/v1/pki/crl/pem & setting crl-file in conf + restart curl -v --cacert allowed1.tld.com.local_cachain.pem --cert allowed1.tld.com.local_bundle.pem https://subdomain.tld.com.local/ ; # * Trying 192.168.10.200... # * TCP_NODELAY set # * Connected to subdomain.tld.com.local (192.168.10.200) port 443 (#0) # * ALPN, offering h2 # * ALPN, offering http/1.1 # * successfully set certificate verify locations: # * CAfile: allowed1.tld.com.local_cachain.pem # CApath: none # * TLSv1.2 (OUT), TLS handshake, Client hello (1): # * TLSv1.2 (IN), TLS handshake, Server hello (2): # * TLSv1.2 (IN), TLS handshake, Certificate (11): # * TLSv1.2 (IN), TLS handshake, Server key exchange (12): # * TLSv1.2 (IN), TLS handshake, Request CERT (13): # * TLSv1.2 (IN), TLS handshake, Server finished (14): # * TLSv1.2 (OUT), TLS handshake, Certificate (11): # * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): # * TLSv1.2 (OUT), TLS handshake, CERT verify (15): # * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): # * TLSv1.2 (OUT), TLS handshake, Finished (20): # * TLSv1.2 (IN), TLS alert, unknown CA (560): # * error:1401E418:SSL routines:CONNECT_CR_FINISHED:tlsv1 alert unknown ca # * Closing connection 0 # curl: (35) error:1401E418:SSL routines:CONNECT_CR_FINISHED:tlsv1 alert unknown ca # take crl-file out of haproxy all works ok again :-( ``` I've tried a few permutations of chains to ensure that my certificates have the root & intermediate - however I'm lost for ideas and would be thankful for any guidance, tips or indicators towards anything obvious I may have missed. Many thanks in advance. https://github.com/aphorise/hashicorp.vagrant_vault-pki_haproxy HAProxy conf: https://github.com/aphorise/hashicorp.vagrant_vault-pki_haproxy/blob/master/2.install_haproxy.sh#L78