openssl snippets

How to fix "SSL client CA chain cannot be verified" haproxy error

Tagged haproxy, ssl, openssl  Languages bash

Check which client certificates CA names the server accepts

$ openssl s_client -connect 127.0.0.1:443 -servername xxx.com

Acceptable client certificate CA names
/C=FI/ST=Finland/O=Vaestorekisterikeskus TEST/OU=Terveydenhuollon testiammattivarmenteet/CN=VRK TEST CA for Healthcare Professionals
/C=FI/ST=Finland/O=Vaestorekisterikeskus TEST/OU=Testivarmenteet/CN=VRK CA for Test Purposes

Export client certificate public key to a file

If needed, export the client certificate's public key to a file, e.g. xyz.pem.

Check who has issued the client certificate:

$ openssl x509 -in xyz.pem -text

Issuer: C=FI, ST=Finland, O=Vaestorekisterikeskus TEST, OU=Terveydenhuollon testiammattivarmenteet, CN=VRK TEST CA for Healthcare Professionals

Is the issuer one of the CAs listed in step #1?

Verify client certificate

If yes, verify the client certificate against haproxy's ca-file:

cat xyz.pem | openssl verify -CAfile /etc/ssl/certs/haproxy-ca-file.pem

If validation fails, you probably need to add some root or intermediate certificates to /etc/ssl/certs/haproxy-ca-file.pem.