@Negan you’re right. The client cert isn’t needed, but if you configure it, it’ll work.
As example for others Haproxy users, the working conf:
Alternative 1:
bind IP:443 ssl crt /etc/ssl/certs/factura/SDI+key.pem ssl-min-ver TLSv1.0
Alternative 2 with client cert:
bind IP:443 ssl crt SDI+key.pem ca-file CA_Agenzia_delle_Entrate_all.pem ssl-min-ver TLSv1.0 verify required
Alternative workaround:
bind IP:443 ssl crt SDI+key.pem ca-file CA_Agenzia_delle_Entrate_all.pem ssl-min-ver TLSv1.0 verify optional ca-ignore-err all
But the CA_Agenzia_delle_Entrate_all.pem file contains inside two certs, the first one is the same that we commented before, just equal to the one on the file CA_Agenzia_delle_Entrate.pem, and the second one… maybe it’s an intermediate cert? but it’s invalid by date at this moment (but it works, extrange).
Content of CA_Agenzia_delle_Entrate_all.pem:
Certificate1:
Data:
Version: 3 (0x2)
Serial Number: 1073776 (0x106270)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = IT, O = Agenzia delle Entrate, OU = Servizi Telematici, CN = CA Agenzia delle Entrate
Validity
Not Before: May 31 11:27:58 2011 GMT
Not After : May 31 11:26:11 2021 GMT
Certificate2:
Data:
Version: 3 (0x2)
Serial Number: 7166 (0x1bfe)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = it, O = Agenzia delle Entrate, OU = Servizi Telematici, CN = CA Agenzia delle Entrate Test
Validity
Not Before: Dec 6 15:22:45 2010 GMT
Not After : Dec 6 15:21:52 2020 GMT
Up until this momment, please, correct if I’m wrong:
Old CA_Agenzia_delle_Entrate.pem (s/n 1073776) will be replaced by new CAEntrate_prod.der (s/n 2376274465471078202)
But what is going to replace CA_Agenzia_delle_Entrate_all.pem, in fact the second certificate (s/n 7166)? Is this the file that we’re going to receive by mail?
Thanks,
Note: Get serial number with “openssl x509 -in CAEntrate_prod.der -noout -text”