This KB guide focuses on using OpenSSL and testssl.sh to validate SSL/TLS certificates, ensuring they are configured correctly, include a complete certificate chain, and are trusted. It covers testing certificates both locally and on HAProxy servers.
...
| Code Block |
|---|
./testssl.sh https://<haproxy_domain_or_IP>:<port> |
This checks:
Supported protocols.
Available ciphers.
Certificate properties.
...
| Code Block |
|---|
./testssl.sh --certs https://<haproxy_domain_or_IP>:<port> |
This identifies:
Missing intermediate certificates.
Trust issues in the chain.
...
Update your HAProxy configuration to use the fullchain.pem:
| Code Block |
|---|
frontend www-https_frontend bind *:443 ssl crt-list /etc/haproxy/ssl/fullchain.pem reqadd X-Forwarded-Proto:\ https reqadd X-Forwarded-Port:\ 443 default_backend app_www-backend-scsp |
2. Untrusted Certificate
Verify the root CA is trusted on client systems.
Cross-check using online tools like SSL Labs.
...