New warning in haproxy 2.6 couldn't load '/etc/pki/tls/certs/ca-bundle.trust.crt'

[FireBurn]

Detailed Description of the Problem

[WARNING] (19169) : config : ca-file: '@system-ca' couldn't load '/etc/pki/tls/certs/ca-bundle.trust.crt'

This has appeared since the following commit:

f1344b3cee9c190f0cf4081b72e0544c47f3eb11 is the first bad commit
commit f1344b3cee9c190f0cf4081b72e0544c47f3eb11
Author: William Lallemand <[email protected]>
Date:   Tue Apr 26 12:00:06 2022 +0200

    MEDIUM: httpclient: re-enable the verify by default
    
    Since the httpclient verify now has a fallback which disable the SSL in
    the httpclient without exiting haproxy at startup, we can safely
    re-enable it by default.
    
    It could still be disabled with "httpclient-ssl-verify none".

The file is readable by all and is the systems default

Expected Behavior

Haproxy to start without the warning

Steps to Reproduce the Behavior

/apps/haproxy/bin/haproxy -D -f /apps/haproxy/etc/ -p /apps/haproxy/bin/haporxy.pid

Do you have any idea what may have caused this?

f1344b3cee9c190f0cf4081b72e0544c47f3eb11 is the first bad commit
commit f1344b3cee9c190f0cf4081b72e0544c47f3eb11
Author: William Lallemand <[email protected]>
Date:   Tue Apr 26 12:00:06 2022 +0200

    MEDIUM: httpclient: re-enable the verify by default
    
    Since the httpclient verify now has a fallback which disable the SSL in
    the httpclient without exiting haproxy at startup, we can safely
    re-enable it by default.
    
    It could still be disabled with "httpclient-ssl-verify none".

Do you have an idea how to solve the issue?

Putting the following into the global sections avoids the warning

httpclient.ssl.verify none

this is different from what the commit says

What is your configuration?

Haproxy was built and runs on RHEL7.9

0-haproxy.cfg:

global
   log 127.0.0.1:514 local0 info
   chroot /apps/haproxy/lib
   user wasadm
   group was
   daemon
   stats socket 127.0.0.1:14567
   stats socket /apps/haproxy/bin/admin.sock mode 660 level admin expose-fd listeners
   stats timeout 30s
   hard-stop-after 30s
   maxconn 2048


defaults
   log global
   mode http
   option httplog
   option dontlognull
   timeout connect 5000
   timeout client 300000
   timeout server 300000
   default-server init-addr last,libc,none

1-proxy.cfg:

frontend proxyfront
   mode http
   bind *:8080

   acl squiddat_src src -f /apps/haproxy/extra-configs/squid_dat_src.txt
   use_backend back_dat if squiddat_src

   acl squidnft_src src -f /apps/haproxy/extra-configs/squid_nft_src.txt
   use_backend back_nft if squidnft_src

backend back_dat
   mode http
   option httpchk GET http://127.0.0.1:10200/probe.html HTTP/1.0
   option forwardfor
   option httpclose
   option forwardfor header X-Client
   server server_server1 server1.example.com:10280 check send-proxy
   server server_server2 server2.example.com:10280 check send-proxy

backend back_nft
   mode http
   option httpchk GET http://127.0.0.1:26000/probe.html HTTP/1.0
   option forwardfor
   option httpclose
   option forwardfor header X-Client
   server server_server1 server1.example.com:26080 check send-proxy
   server server_server2 server2.example.com:26080 check send-proxy

Output of haproxy -vv

HAProxy version 2.6.1 2022/06/21 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2027.
Known bugs: http://www.haproxy.org/bugs/bugs-2.6.1.html
Running on: Linux 3.10.0-1160.66.1.el7.x86_64 #1 SMP Wed Apr 27 20:34:34 UTC 2022 x86_64
Build options :
  TARGET  = linux-glibc
  CPU     = generic
  CC      = cc
  CFLAGS  = -O3 -march=corei7-avx -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment -fPIE -fstack-protector-all -fno-strict-aliasing -D_FORTIFY_SOURCE=2
  OPTIONS = USE_PCRE_JIT=1 USE_LIBCRYPT=1 USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA= USE_ZLIB=1 USE_TFO=1 USE_NS=1 USE_PROMEX=1
  DEBUG   = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS

Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE +PCRE_JIT -PCRE2 -PCRE2_JIT +POLL +THREAD +BACKTRACE -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -ENGINE +GETADDRINFO +OPENSSL -LUA +ACCEPT4 -CLOSEFROM +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL -PROCCTL +THREAD_DUMP -EVPORTS -OT -QUIC +PROMEX -MEMORY_PROFILING

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=8).
Built with OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with the Prometheus exporter as a service
Built with network namespace support.
Support for malloc_trim() is enabled.
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 4.8.5 20150623 (Red Hat 4.8.5-44)

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
         h2 : mode=HTTP  side=FE|BE  mux=H2    flags=HTX|HOL_RISK|NO_UPG
       fcgi : mode=HTTP  side=BE     mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
  <default> : mode=HTTP  side=FE|BE  mux=H1    flags=HTX
         h1 : mode=HTTP  side=FE|BE  mux=H1    flags=HTX|NO_UPG
  <default> : mode=TCP   side=FE|BE  mux=PASS  flags=
       none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG

Available services : prometheus-exporter
Available filters :
	[CACHE] cache
	[COMP] compression
	[FCGI] fcgi-app
	[SPOE] spoe
	[TRACE] trace

Last Outputs and Backtraces

No response

Additional Information

No response

[wtarreau]

I've had a similar one for which I e-mailed William but he's in vacation so we'll have to wait for his return as it's mostly an annoyance but not critical.

[FireBurn]

I've changed the code back to SSL_SOCK_VERIFY_NONE locally, as our ansible deploy jobs were failing with the warning

[wlallemand]

There are 2 issues here:

• The httpclient SSL initialization still emit a warning when it must fail silently
• The ca-file directory loading does not seem to work correctly.

I made some tests with openssl 1.0.2 and it looks like X509_STORE_add_cert() in 1.0.2 has difficulties with duplicates in the same X509_STORE. I couldn't make it work with another version, so I will have to check with Willy if that's the same issue.

The linked patch should fix that part of the issue.

[FireBurn]

Hi, I've cherry-picked https://github.com/haproxy/haproxy/commit/4348232231f8ac652c166c5cf49e5024fac40751 to 2.6.1 and I can confirm the warning has gone

This sorts our automated deploys of configs that looks for warnings and halts deploys