Closed candlerb closed 4 years ago
In case it was any help, I was able to make it work by doing
cd /opt/zato/cluster1/load-balancer/config/repo
cat zato-lba-priv-key.pem zato-lba-cert.pem >zato-lba-key-and-cert.pem
and putting either the absolute paths in haproxy config, or these relative ones:
bind 0.0.0.0:31223 ssl crt config/repo/zato-lba-key-and-cert.pem verify optional ca-file config/repo/zato-lba-ca-certs.pem
... and if there are intermediate CA certificates, their certificates also need to be appended to zato-lba-key-and-cert.pem - this is in the haproxy documentation
At https://zato.io/docs/admin/guide/tls/client-lb.html#accepting-ssl-tls-connections-client-certificates-optional it gives some text to append to the lb config to listen on SSL with incoming certificates.
I am trying this with zato 2.0.3
Adding the stanza and clicking "Validate and save" gives the following exception (reformatted here for clarity by converting \n to newline):
It seems that the ACL line is rejected. I checked at http://www.haproxy.org/download/1.4/doc/configuration.txt and I don't see any examples of
req.fhdr
After commenting out the reqadd, acl and http-request deny lines, I get instead:
Maybe the version of haproxy which zato pulled in as a dependency is not SSL-aware? zato does not seem to depend on any specific version.
Aha: according to this article SSL support was only included in haproxy 1.5 :-(
However I have not found any mention in the zato docs of needing to pull in a newer haproxy from a third-party repo.
UPDATE: I installed haproxy 1.5 from the repo linked in the above article. The error changes to:
So this does seem to be the problem. I therefore suggest:
zato ca create server
(?) (with example)