Problem with load balancing web app (CyberArk's pvwas) with HAProxy over ssl

[pavanhkrc]

I have some difficulties with setting up a load balancer for a web app (CyberArk's pvwas, but i'm not sure it matters). Here is my certificate and page.cfg config file info:

`Subject:

CN=my.machine.name.in.DNS.A.record

Subject Alternative Name:

DNS name=page1.I.want.to.lb

DNS name=page2.I.want.to.lb `

`global

log 127.0.0.1 local0

resolvers dns

nameserver localdns x.x.x.x:53

hold valid 2s

frontend web_lb

bind my.machine.name.in.DNS.A.record.domain.name:443 ssl cert /path/to/my/cert.pem

timeout client 1h

default_backend web

backend web

balance leastconn

mode http

timeout server 1h

timeout connect 4s

server web1 page1.I.want.to.lb.domain.name:443 check resolvers dns

server web2 page1.I.want.to.lb.domain.name:443 check resolvers dns`

I am sure my dns settings are fine, I just can't figure out whether problem is in my certificate or on the webpage site (i can go there straight through page1.I.want.to.lb and page2.I.want.to.lb). Haproxy service restarts fine and haproxy -f /path... -c says config file is valid. My haproxy version is 2.4.17 and I'm using CentOS 9.

I was already load balancing some apps using tcp mode and i am sure dns settings work. I also disabled requiring ssl on one server (hosting page1.I.want.to.lb), but still couldn't load page via LB dns's name

 

[Antonio Turner]

It sounds like you have a valid configuration for HAProxy, but are having trouble getting the SSL certificate to work properly with the load balancer. One possible issue could be with the Subject Alternative Name (SAN) field in the certificate. The SAN field should contain the DNS names that the certificate is valid for, and in your case it appears that it is only set to "page1.I.want.to.lb" and "page2.I.want.to.lb". If the DNS name for the load balancer is different from these, the certificate will not be considered valid for the load balancer.
Another possible issue could be that the certificate is not being correctly located by HAProxy. You can verify the path to the certificate in the 'bind' line of the 'frontend' configuration and ensure that the certificate is present in the specified location.It could also be a problem with the dns resolution, you can try to use IP addresses instead of DNS names in the server configuration, and check if this solves the problem.