This KB guide focuses on using OpenSSL and testssl.sh to validate SSL/TLS certificates, ensuring they are configured correctly, include a complete certificate chain, and are trusted. It covers testing certificates both locally and on HAProxy servers.
Prerequisites
1. Install OpenSSL:
Ensure OpenSSL is installed on your system. Most Linux distributions include it by default:
openssl version
2. Install testssl.sh:
Clone the repository from GitHub
git clone --depth 1 https://github.com/drwetter/testssl.sh.git cd testssl.sh chmod +x testssl.sh
HAProxy Configuration (if applicable):
Confirm HAProxy is running with SSL/TLS enabled.
Verify the SSL port (default:
443) is exposed for testing.
Validating a PEM Certificate Locally
1. Check PEM File Syntax
Use OpenSSL to verify certificate file’s syntax:
openssl x509 -in <certificate_file>.pem -noout -text
This command:
Verifies the certificate’s syntax.
Displays details such s issuer, subject, validity period, and extensions.
To check the entire certificate chain (server + intermediate certificates), use:
openssl crl2pkcs7 -nocrl -certfile <certificate_file>.pem | openssl pkcs7 -print_certs -noout
This breaks down and lists all certificates in the chain.
2. Verify Certificate Matches Private Key
Ensure the certificate and private key correspond:
openssl x509 -noout -modulus -in <certificate_file>.pem | openssl md5 openssl rsa -noout -modulus -in <private_key>.key | openssl md5
The outputs must match.
3. Check Certificate Expiration
Confirm the certificate is within its validity period:
openssl x509 -in <certificate_file>.pem -noout -dates
This displays the notBefore and notAfter dates.
4. Verify Intermediate Certificate is Trusted
Use the following command to confirm that the intermediate certificate is signed by a trusted root:
openssl verify -CAfile <root_ca.pem> <certificate_file>.pem
Test with OpenSSL Local Server
You can test a PEM certificate directly by hosting it temporarily with a test server like openssl.
1. Start a Local Test Server
Use OpenSSL to serve the PEM certificate on a local port:
openssl s_server -accept 4433 -cert <certificate_file>.pem -key <private_key>.key
Replace
<certificate_file>.pemwith your PEM file.Replace
<private_key>.keywith the corresponding private key.
2. Run testssl.sh Against the Local Test Server
With the test server running (openssl), validate the certificate using testssl.sh:
./testssl.sh --certs https://127.0.0.1:4433
This checks:
Certificate validity.
Complete certificate chain.
Expiration and trustworthiness.
Using testssl.sh for HAProxy SSL/TLS Validation
1. Basic SSL/TLS Validation
Check the HAProxy SSL/TLS configuration:
./testssl.sh https://<haproxy_domain_or_IP>
This checks:
Supported protocols.
Available ciphers.
Certificate properties.
2. Certificate Chain Validation:
Ensure the full certificate chain is provided:
./testssl.sh --certs https://<haproxy_domain_or_IP>
This identifies:
Missing intermediate certificates.
Trust issues in the chain.
3. Testing Specific Front-ends
If HAProxy has multiple front-ends on different ports:
./testssl.sh https://<haproxy_domain_or_IP>:<port>
Example:
./testssl.sh https://haproxy.example.com:9091
Common Issues and Solutions
1. Verify Full Certificate Chain Delivery
HAProxy must be configured to provide the full certificate chain. Ensure the PEM file includes:
The server certificate.
Intermediate certificates.
You can concatenate certificates into a single PEM file as follows:
cat server.crt intermediate.crt > fullchain.pem
Update your HAProxy configuration to use the fullchain.pem:
frontend https_frontend
bind *:443 ssl crt /etc/haproxy/fullchain.pem
default_backend app_backend
2. Untrusted Certificate
Verify the root CA is trusted on client systems.
Cross-check using online tools like SSL Labs.
3. Incorrect Certificate Deployment
Verify the PEM file and private key:
openssl x509 -in /etc/haproxy/fullchain.pem -text -noout openssl rsa -in /etc/haproxy/server.key -check
4. SSL Configuration Errors
Validate HAProxy configuration:
haproxy -c -f /etc/haproxy/haproxy.cfg
Ensure the bind directive specifics correct SSL/TLS options.
Advanced Testing with testssl.sh
1. Check the Expiration Warnings
Run the following to get alerts about Certificates nearing expiration:
./testssl.sh --certs --warnings https://<haproxy_domain_or_IP>
2. Analyze Protocol and Cipher Support
HAProxy often uses a specific SSL/TLS configuration. Test supported protocols and ciphers:
./testssl.sh --protocols https://<haproxy_domain_or_IP> ./testssl.sh --ciphers https://<haproxy_domain_or_IP>
3. Generate Reports
Export results for documentation or reporting:
./testssl.sh --jsonfile haproxy_test.json https://<haproxy_domain_or_IP> ./testssl.sh --htmlfile haproxy_test.html https://<haproxy_domain_or_IP>
Troubleshooting HAProxy SSL Issues
Incomplete Certificate Chain
Ensure intermediate certificates are included in the
PEMfile.Use
testssl.sh --certsto identify missing certificates.
Certificate Not Trusted
Verify the root CA is trusted on client systems.
Use online tools like SSL Labs to cross-check.
SSL Configuration Errors
Check the HAProxy configuration file for syntax issues:
haproxy -c -f /etc/haproxy/haproxy.cfg
Ensure bind directives correctly specify SSL options.
Incorrect Certificate Deployment
Verify the certificate file and key are correct:
openssl x509 -in /etc/haproxy/fullchain.pem -text -noout openssl rsa -in /etc/haproxy/server.key -check
Example: Validating HAProxy SSL Certificate
./testssl.sh --certs https://haproxy.example.com:443
Expected Output:
Certificate is valid: Yes
Chain issues: None
Expiration: Valid until YYYY-MM-DD
Protocols and ciphers: Secure configurations
Summary
By following these instructions, you can effectively validate SSL/TLS certificates using OpenSSL and testssl.sh. These tools help ensure certificates are valid, chains are complete, and configurations are secure. Regular testing maintains a strong SSL/TLS posture for services like HAProxy.