Page Comparison

This KB guide focuses on using OpenSSL and testssl.sh to validate SSL/TLS certificates, ensuring they are configured correctly, include a complete certificate chain, and are trusted. It covers testing certificates both locally and on HAProxy servers.

The testssl.sh tool is a powerful script for testing SSL/TLS configurations, including those on HAProxy. This guide provides instructions for testing SSL certificates on HAProxy, ensuring they are valid, correctly configured, and include a complete certificate chain.

Prerequisites

Prerequisites

1. Install OpenSSL:

1. Ensure OpenSSL is installed on your system. Most Linux distributions include it by default:

   Code Block
   openssl version

2. Install testssl.sh:

1. Clone the repository from GitHub

   Code Block
   git clone --depth 1 https://github.com/drwetter/testssl.sh.git cd testssl.sh

   Make the script executable

   Code Block

   chmod +x testssl.sh

   Ensure

2. HAProxy Configuration (if applicable):

   • Confirm HAProxy is running

   and configured to handle

   • with SSL/TLS

   traffic

   • enabled.

   • Check that the front-end and back-end configurations are correct.

   • HAProxy must expose the SSL/TLS Verify the SSL port (default is : 443) is exposed for testing.

...

Validating a PEM Certificate

...

Locally

1. Check PEM File Syntax

Run the following command to ensure the PEM file contains valid certificatesUse OpenSSL to verify certificate file’s syntax:

openssl x509 -in <certificate_file>.pem -noout -text

...

• Verifies the certificate’s syntax.

• Displays details such s issuer, subject, validity period, and extensions.

If the PEM file contains To check the entire certificate chain (server + intermediate certificates), use:

...

This breaks down and lists all certificates in the chain.

...

2. Verify Certificate Matches Private Key

Ensure the certificate and private key correspond:

openssl x509 -noout -modulus -in <certificate_file>.pem | openssl md5
openssl rsa -noout -modulus -in <private_key>.key | openssl md5

The outputs must match.

3. Check Certificate Expiration

Confirm the certificate is within its validity period:

openssl x509 -in <certificate_file>.pem -noout -dates

This displays the notBefore and notAfter dates.

4. Verify Intermediate Certificate is Trusted

Use the following command to confirm that the intermediate certificate is signed by a trusted root:

openssl verify -CAfile <root_ca.pem> <certificate_file>.pem

Test with OpenSSL Local Server

You can test a PEM certificate directly by hosting it temporarily with a test server like openssl:.

1. Start a Local Test Server

...

Use openssl OpenSSL to serve the PEM certificate on a local port:

...

• Replace <certificate_file>.pem with your PEM file.

• Replace <private_key>.key with the corresponding private key.

2. Run testssl.sh Against the Local Test Server

With the test server running (openssl), validate the certificate using testssl.sh:

...

• Certificate validity.

• Complete certificate chain.

• Expiration and trustworthiness.

3. Validate Certificate Chain

Ensue the PEM file contains:

• The server certificate.

• Intermediate certificates (in proper order).

Concatenate the certificates if necessary:

cat server.crt intermediate.crt > fullchain.pem

Use testssl.sh to validate the chain:

./testssl.sh --certs https://127.0.0.1:4433

Look for issues like “Incomplete chain” or “Missing intermediate certificates.”

4. Additional Tests

Check Certificate Expiration

openssl x509 -in <certificate_file>.pem -noout -dates

This outputs the notBefore and notAfter dates.

Verify Certificate Matches the Private Key

openssl x509 -noout -modulus -in <certificate_file>.pem | openssl md5
openssl rsa -noout -modulus -in <private_key>.key | openssl md5

The output of both commands should match.

Verify Intermediate Certificate is Trusted

Use the following command to confirm that the intermediate certificate is signed by a trusted root:

openssl verify -CAfile <root_ca.pem> <certificate_file>.pem

Testing SSL Certificates on HAProxy

Using testssl.sh for HAProxy SSL/TLS Validation

1. Basic SSL/TLS Validation

...

Check the HAProxy SSL/TLS configuration

...

:

./testssl.sh https://<haproxy_domain_or_IP>:<port>

This checks:

• Protocol supportSupported protocols.

• Cipher availabilityAvailable ciphers.

• Certificate properties.

2. Certificate Chain Validation:

To validate Ensure the Certificate chain on HAProxyfull certificate chain is provided:

./testssl.sh --certs https://<haproxy_domain_or_IP>

...

:<port>

...

Certificate Validate: Ensure the certificate is active and not expired.

...

This identifies:

• Missing intermediate certificates.

• Trust : Confirm that issues in the certificate chain leads to a trusted root CA.

3. Testing Specific Front-ends

If HAProxy has multiple front-ends with SSL configured on different ports, specify the port:

./testssl.sh https://<haproxy_domain_or_IP>:<port>

For exampleExample:

./testssl.sh https://haproxy.example.com:9091

HAProxy-Specific Considerations

Common Issues and Solutions

1. Verify Full Certificate Chain Delivery

HAProxy must be configured to provide the full certificate chain. Ensure the PEM file includes:

...

Update your HAProxy configuration to use the fullchain.pem:

frontend www-https_frontend
    bind *:443 ssl crt-list /etc/haproxy/ssl/fullchain.pem
    reqadd X-Forwarded-Proto:\ https
    reqadd X-Forwarded-Port:\ 443
    default_backend app_backend

Restart HAProxy After configuration Changes

After updating certificates, restart HPAroxy to apply the changes:

systemctl restart haproxywww-backend-scsp

2. Untrusted Certificate

• Verify the root CA is trusted on client systems.

• Cross-check using online tools like SSL Labs.

3. Incorrect Certificate Deployment

Verify the PEM file and private key:

openssl x509 -in /etc/haproxy/fullchain.pem -text -noout
openssl rsa -in /etc/haproxy/server.key -check

4. SSL Configuration Errors

Validate HAProxy configuration:

haproxy -c -f /etc/haproxy/haproxy.cfg

Ensure the bind directive specifics correct SSL/TLS options.

Advanced Testing with testssl.sh

1. Check the Expiration Warnings

Run the following to get alerts about Certificates nearing expiration:

./testssl.sh --certs --warnings https://<haproxy_domain_or_IP>

2. Analyze Protocol and Cipher Support

HAProxy often uses a specific SSL/TLS configuration. Test supported protocols and ciphers:

./testssl.sh --protocols https://<haproxy_domain_or_IP>
./testssl.sh --ciphers https://<haproxy_domain_or_IP>

3. Generate Reports

Export results for documentation or reporting:

./testssl.sh --jsonfile haproxy_test.json https://<haproxy_domain_or_IP>
./testssl.sh --htmlfile haproxy_test.html https://<haproxy_domain_or_IP>

Troubleshooting HAProxy SSL Issues

Incomplete Certificate Chain

• Ensure intermediate certificates are included in the PEM file.

• Use testssl.sh --certs to identify missing certificates.

Certificate Not Trusted

• Verify the root CA is trusted on client systems.

• Use online tools like SSL Labs to cross-check.

SSL Configuration Errors

Check the HAProxy configuration file for syntax issues:

...

Ensure bind directives correctly specify SSL options.

Incorrect Certificate Deployment

Verify the certificate file and key are correct:

openssl x509 -in /etc/haproxy/fullchain.pem -text -noout
openssl rsa -in /etc/haproxy/server.key -check

Example: Validating HAProxy SSL Certificate

./testssl.sh --certs https://haproxy.example.com:443

...

• Certificate is valid: Yes

• Chain issues: None

• Expiration: Valid until YYYY-MM-DD

• Protocols and ciphers: Secure configurations

Summary

By following this guidethese instructions, you can ensure that your HAProxy effectively validate SSL/TLS setup is secure, the certificate is valid, and the chain is complete. Regular checks with testssl.sh help maintain a robust SSL/TLS configurationcertificates using OpenSSL and testssl.sh. These tools help ensure certificates are valid, chains are complete, and configurations are secure. Regular testing maintains a strong SSL/TLS posture for services like HAProxy.