HAProxy issue after update Pfsense from 2.7.0 to 2.7.1

m4rco · December 11, 2023, 10:22am

Since the update to the latest version of pfSense, our HAProxy doesn’t work anymore.

This message I get when trying to start the HAProxy in the pfsense dashboard:
Cannot open command socket, HAProxy not running? (Connection refused) Cannot open command socket, HAProxy not running? (Connection refused)"

and is visible in the log: systemlog

Dec 5 16:16:18 pfsm php-fpm[34706]: haproxy: check error output: [NOTICE] (94833) : haproxy version is 2.8.3-86e043a [NOTICE] (94833) : path to executable is /usr/local/sbin/haproxy [WARNING] (94833) : config : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] (94833) : config : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] (94833) : config : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] (94833) : config : Loading: Unable to parse OCSP response. Content will be ignored. [WARNING] (94833) : config : Loading: Unable to parse OCSP response. Content will be ignored. [NOTICE] (94833) : config : config: Can’t open global server state file ‘/tmp/haproxy_server_state’: No such file or directory Warnings were found. Configuration file is valid

Anyone have a solution of some kind?

LTS_Tom · December 11, 2023, 10:35am

If you google that it will point out that it’s having a hard time reading the certificate. Try re-issuing the cert.

m4rco · December 11, 2023, 10:40am

Sorry I am not very familiar with the system. How do I find out which certificate? i got hundreds of certificates

m4rco · December 11, 2023, 11:05am

the only message I see in the haproxy/log is:
Dec 11 12:03:10 pfsm haproxy[76748]: 192.XXX.X.XX:XXX45 [11/Dec/2023:12:03:10.571] Primary-107-APP-merged/XX.XXX.XX.107:443: SSL handshake failure (error:0A000076:SSL routines::no suitable signature algorithm)

xMAXIMUSx · December 11, 2023, 2:37pm

Do the certificates have at least a sha256?

m4rco · December 11, 2023, 2:58pm

No, not SHA256. But the certificates use 2048-bit RSA.

LTS_Tom · December 11, 2023, 3:52pm

Yes, they have to be 2048 or higher.

xMAXIMUSx · December 11, 2023, 4:27pm

lol. I meant 2048 bits or higher. I don’t even know how I thought of sha256. Thanks for the clarification.

m4rco · December 11, 2023, 6:23pm

I can’t figure it out. I just restored the pfsense with a 1 month old bakup and still the haproxy is not responding as it should. besides the previously reported error messages, nothing changes. I also have a snapshot of the linked volume, but I am afraid to use it :(. My setup consists of 2 different pfsense servers. 1 master server and one slave. The servers communicate with each other through CARP. What I am afraid of is if I restore the server with the snapshot that the IP addresses/ wan, lan and sync will come to decay and maybe even the slave will break. Without the slave all the linked portals go down and I am much further from home. Perhaps I am worrying about nothing but are these possible risks or are the riscos not so bad?

m4rco · December 11, 2023, 6:28pm

the strange thing is that a large the of the frontends and the backend still works on the master (haproxy).

m4rco · December 11, 2023, 9:37pm

after debugging some of the not working services. i get this error: The request was aborted: Could not create SSL/TLS secure channel. But all the frontends have valid certificates. Do i mis somthing?

LTS_Tom · December 11, 2023, 11:05pm

I have an SSL troubleshooting guide that might help.