This KB guide focuses on using OpenSSL and testssl.sh to validate SSL/TLS certificates, ensuring they are configured correctly, include a complete certificate chain, and are trusted. It covers testing certificates both locally and on HAProxy servers.
| Table of Contents | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Prerequisites
1. Install OpenSSL:
Ensure OpenSSL is installed on your system. Most Linux distributions include it by default:
Code Block openssl version
2. Install testssl.sh:
Clone the repository from GitHub
Code Block git clone --depth 1 https://github.com/drwetter/testssl.sh.git cd testssl.sh chmod +x testssl.shHAProxy Configuration (if applicable):
Confirm HAProxy is running with SSL/TLS enabled.
Verify the SSL port (default:
443) is exposed for testing.
...
| Code Block |
|---|
./testssl.sh https://<haproxy_domain_or_IP>:<port> |
This checks:
Supported protocols.
Available ciphers.
Certificate properties.
...
| Code Block |
|---|
./testssl.sh --certs https://<haproxy_domain_or_IP>:<port> |
This identifies:
Missing intermediate certificates.
Trust issues in the chain.
...
Common Issues and Solutions
1
...
Ensure the PEM file includes:
Server certificate.
Intermediate certificates (in proper order).
Combine certificates if necessary:
Code Block cat server.crt intermediate.crt > fullchain.pem
...
. Verify Full Certificate Chain Delivery
HAProxy must be configured to provide the full certificate chain. Ensure the PEM file includes:
...
Update your HAProxy configuration to use the fullchain.pem:
| Code Block |
|---|
frontend www-https_frontend bind *:443 ssl crt-list /etc/haproxy/ssl/fullchain.pem reqadd X-Forwarded-Proto:\ https reqadd X-Forwarded-Port:\ 443 default_backend app_www-backend-scsp |
...
2. Untrusted Certificate
Verify the root CA is trusted on client systems.
Cross-check using online tools like SSL Labs.
...
3. Incorrect Certificate Deployment
Verify the PEM file and private key:
...