HAProxy Comodo SSL

https://stackoverflow.com/questions/18537855

ssl
haproxy

26-06-2022
|

문제

I am trying to install haproxy comodo positivessl on haproxy but browser show certificate error. HaProxy config:

global
    daemon
    #debug
    maxconn 15000
    pidfile /var/run/haproxy.pid
    stats socket /var/run/haproxy.stat mode 600

defaults
    mode http
    balance roundrobin
    timeout client 60s   # Client and server timeout must match the longest
    timeout server 60s   # time we may wait for a response from the server.
    timeout queue  60s   # Don't queue requests too long if saturated.
    timeout connect 4s   # There's no reason to change this one.
    timeout http-request 5s
    option http-server-close
    option httpclose
    option abortonclose
    option redispatch
    option forwardfor # set the client's IP in X-Forwarded-For.
    option tcp-smart-accept
    option tcp-smart-connect
    retries 2
    monitor-uri /monitor # Returns 200 if we're up; real path redacted
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

listen stats 0.0.0.0:8880
    stats enable
    stats hide-version
    stats uri     /
    stats realm   HAProxy\ Statistics
    stats auth example:example

frontend httpFrontEnd
    bind *:80
    bind *:443 ssl crt /etc/haproxy/certs/example_com.pem ca-file /etc/haproxy/certs/example_com.ca-bundle
    reqadd X-Forwarded-Proto:\ https if { ssl_fc }

    stick-table type ip size 200k expire 5m store gpc0,conn_rate(10s)
    acl source_is_abuser src_get_gpc0 gt 0
    tcp-request connection reject if source_is_abuser
    acl conn_rate_abuse  sc1_conn_rate gt 100
    acl mark_as_abuser   sc1_inc_gpc0  gt 0
    tcp-request connection track-sc1 src
    tcp-request connection reject if conn_rate_abuse mark_as_abuser

    acl examplecom hdr_end(host) -i example.com
    use_backend examplecom_http if examplecom
    use_backend httpsBackEnd if { ssl_fc }

    default_backend httpBackEnd

backend examplecom_http
    server s1 X.X.X.X:80 check

backend httpBackEnd
    server httpBackEnd-Local X.X.X.X:81 check

backend httpsBackEnd
    server httpBackEnd-Local X.X.X.X:444 check

.pem file contains domain crt , private key

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

ca-bundle file is from comodo

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

The problem is that i get a certificate error (name mismatch) Certificate name mismatch: Issued to: server

해결책

It sounds like you need to install your certificate chain. Comodo (and most other CA's) will have a chain that must be followed by the browser. In your cert file just add the intermediate and root ca certs in addition to your actual cert. My file looks like this:

-----BEGIN MY CERTIFICATE-----
-----END MY CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
-----END INTERMEDIATE CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
-----END INTERMEDIATE CERTIFICATE-----
-----BEGIN ROOT CERTIFICATE-----
-----END ROOT CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

라이센스 : CC-BY-SA ~와 함께 속성

제휴하지 않습니다 StackOverflow