The testssl.sh tool is a powerful script for testing SSL/TLS configurations, including those on HAProxy. This guide provides instructions for testing SSL certificates on HAProxy, ensuring they are valid, correctly configured, and include a complete certificate chain.
Prerequisites
Install
testssl.sh:Clone the repository from GitHub
git clone --depth 1 https://github.com/drwetter/testssl.sh.git cd testssl.sh
Make the script executable
chmod +x testssl.sh
Ensure HAProxy is running and configured to handle SSL/TLS traffic.
Check that the front-end and back-end configurations are correct.
HAProxy must expose the SSL/TLS port (default is 443) for testing.
Steps to Validate a PEM Certificate File
Check PEM File Syntax
Run the following command to ensure the PEM file contains valid certificates:
openssl x509 -in <certificate_file>.pem -noout -text
This command:
Verifies the certificate’s syntax.
Displays details such s issuer, subject, validity period, and extensions.
If the PEM file contains the entire chain (server + intermediate certificates), use:
openssl crl2pkcs7 -nocrl -certfile <certificate_file>.pem | openssl pkcs7 -print_certs -noout
This breaks down and lists all certificates in the chain.
Test the Certificate with OpenSSL
You can test a PEM certificate directly by hosting it temporarily with a test server like openssl:
1. Start a Local Test Server using OpenSSL
Use openssl to serve the PEM certificate on a local port:
openssl s_server -accept 4433 -cert <certificate_file>.pem -key <private_key>.key
Replace
<certificate_file>.pemwith your PEM file.Replace
<private_key>.keywith the corresponding private key.
2. Run testssl.sh Against the Local Test Server
With the test server running (openssl), validate the certificate using testssl.sh:
./testssl.sh --certs https://127.0.0.1:4433
This checks:
Certificate validity.
Complete certificate chain.
Expiration and trustworthiness.
3. Validate Certificate Chain
Ensue the PEM file contains:
The server certificate.
Intermediate certificates (in proper order).
Concatenate the certificates if necessary:
cat server.crt intermediate.crt > fullchain.pem
Use testssl.sh to validate the chain:
./testssl.sh --certs https://127.0.0.1:4433
Look for issues like “Incomplete chain” or “Missing intermediate certificates.”
4. Additional Tests
Check Certificate Expiration
openssl x509 -in <certificate_file>.pem -noout -dates
This outputs the notBefore and notAfter dates.
Verify Certificate Matches the Private Key
openssl x509 -noout -modulus -in <certificate_file>.pem | openssl md5 openssl rsa -noout -modulus -in <private_key>.key | openssl md5
The output of both commands should match.
Verify Intermediate Certificate is Trusted
Use the following command to confirm that the intermediate certificate is signed by a trusted root:
openssl verify -CAfile <root_ca.pem> <certificate_file>.pem
Testing SSL Certificates on HAProxy
Basic SSL/TLS Validation
To test the SSL/TLS configuration of your HAProxy server, run:
./testssl.sh https://<haproxy_domain_or_IP>
This checks:
Protocol support.
Cipher availability.
Certificate properties.
Certificate Chain Validation
To validate the Certificate chain on HAProxy:
./testssl.sh --certs https://<haproxy_domain_or_IP>
Key Points to Check:
Certificate Validate: Ensure the certificate is active and not expired.
Certificate Chain: Verify there are no missing intermediate certificates.
Trust: Confirm that the certificate chain leads to a trusted root CA.
Testing Specific Front-ends
If HAProxy has multiple front-ends with SSL configured on different ports, specify the port:
./testssl.sh https://<haproxy_domain_or_IP>:<port>
For example:
./testssl.sh https://haproxy.example.com:9091
HAProxy-Specific Considerations
Verify Full Certificate Chain Delivery
HAProxy must be configured to provide the full certificate chain. Ensure the PEM file includes:
The server certificate.
Intermediate certificates.
You can concatenate certificates into a single PEM file as follows:
cat server.crt intermediate.crt > fullchain.pem
Update your HAProxy configuration to use the fullchain.pem:
frontend https_frontend
bind *:443 ssl crt /etc/haproxy/fullchain.pem
default_backend app_backend
Restart HAProxy After configuration Changes
After updating certificates, restart HPAroxy to apply the changes:
systemctl restart haproxy
Advanced Testing with testssl.sh
Check the Expiration Warnings
Run the following to get alerts about Certificates nearing expiration:
./testssl.sh --certs --warnings https://<haproxy_domain_or_IP>
Analyze Protocol and Cipher Support
HAProxy often uses a specific SSL/TLS configuration. Test supported protocols and ciphers:
./testssl.sh --protocols https://<haproxy_domain_or_IP> ./testssl.sh --ciphers https://<haproxy_domain_or_IP>
Generate Reports
Export results for documentation or reporting:
./testssl.sh --jsonfile haproxy_test.json https://<haproxy_domain_or_IP> ./testssl.sh --htmlfile haproxy_test.html https://<haproxy_domain_or_IP>
Troubleshooting HAProxy SSL Issues
Incomplete Certificate Chain
Ensure intermediate certificates are included in the
PEMfile.Use
testssl.sh --certsto identify missing certificates.
Certificate Not Trusted
Verify the root CA is trusted on client systems.
Use online tools like SSL Labs to cross-check.
SSL Configuration Errors
Check the HAProxy configuration file for syntax issues:
haproxy -c -f /etc/haproxy/haproxy.cfg
Ensure bind directives correctly specify SSL options.
Incorrect Certificate Deployment
Verify the certificate file and key are correct:
openssl x509 -in /etc/haproxy/fullchain.pem -text -noout openssl rsa -in /etc/haproxy/server.key -check
Example: Validating HAProxy SSL Certificate
./testssl.sh --certs https://haproxy.example.com:443
Expected Output:
Certificate is valid: Yes
Chain issues: None
Expiration: Valid until YYYY-MM-DD
Protocols and ciphers: Secure configurations
Summary
By following this guide, you can ensure that your HAProxy SSL/TLS setup is secure, the certificate is valid, and the chain is complete. Regular checks with testssl.sh help maintain a robust SSL/TLS configuration.