Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This KB guide focuses on using OpenSSL and testssl.sh to validate SSL/TLS certificates, ensuring they are configured correctly, include a complete certificate chain, and are trusted. It covers testing certificates both locally and on HAProxy servers.

Table of Contents
minLevel1
maxLevel6
outlinefalse
stylenone
typelist
printabletrue

Prerequisites

1. Install OpenSSL:

  1. Ensure OpenSSL is installed on your system. Most Linux distributions include it by default:

    Code Block
    openssl version

2. Install testssl.sh:

  1. Clone the repository from GitHub

    Code Block
    git clone --depth 1 https://github.com/drwetter/testssl.sh.git
    cd testssl.sh
    chmod +x testssl.sh
  2. HAProxy Configuration (if applicable):

    • Confirm HAProxy is running with SSL/TLS enabled.

    • Verify the SSL port (default: 443) is exposed for testing.

...

This displays the notBefore and notAfter dates.

4. Verify Intermediate Certificate is Trusted

Use the following command to confirm that the intermediate certificate is signed by a trusted root:

...

  • Certificate validity.

  • Complete certificate chain.

  • Expiration and trustworthiness.

Using testssl.sh for HAProxy SSL/TLS Validation

...

Code Block
./testssl.sh https://<haproxy_domain_or_IP>:<port>

This checks:

  • Supported protocols.

  • Available ciphers.

  • Certificate properties.

2. Certificate Chain Validation:

Ensure the full certificate chain is provided:

Code Block
./testssl.sh --certs https://<haproxy_domain_or_IP>:<port>

This identifies:

  • Missing intermediate certificates.

  • Trust issues in the chain.

...

Common Issues and Solutions

1

...

Ensure the PEM file includes:

  • Server certificate.

  • Intermediate certificates (in proper order).

Combine certificates if necessary:

...

.

...

Verify Full Certificate Chain Delivery

HAProxy must be configured to provide the full certificate chain. Ensure the PEM file includes:

...

Update your HAProxy configuration to use the fullchain.pem:

Code Block
frontend www-https_frontend
    bind *:443 ssl crt-list /etc/haproxy/ssl/fullchain.pem
    reqadd X-Forwarded-Proto:\ https
    reqadd X-Forwarded-Port:\ 443
    default_backend app_www-backend-scsp

...

2. Untrusted Certificate

  • Verify the root CA is trusted on client systems.

  • Cross-check using online tools like SSL Labs.

...

3. Incorrect Certificate Deployment

Verify the PEM file and private key:

...