VMware Horizon Community
krag
Contributor
Contributor
‎10-19-2011 03:20 PM

HAproxy load balancer and SSL certificates

I've just setup a HAproxy as a load balancer in front of two view security servers which have SSL certificates installed.

I can succesfully connect to vmview-security1.example.org and vmview-security2.example.org but if I connect to vmview-lb.example.org the view client (5.0 comes back saying the certificate presented does match the hostname name, which is correct as HAproxy is forwarding requests onto one of the security servers and it's their SSL certificate that's being presented.

Is anyone doing something similar? I'm wondering if need to be be running stunnel on the load balancer to take care of this?

0 Kudos
5 Replies
markbenson
VMware Employee
VMware Employee
‎10-20-2011 01:14 AM

If you install certificates on each Security Server for vmview-lb.example.org instead of vmview-security1.example.org and vmview-security2.example.org this should ensure that you will get a name match when the certificates are checked.

Mark.

0 Kudos
krag
Contributor
Contributor
‎10-30-2011 03:57 PM

Thanks, I tried that and whilst the certificate is present (ie I can browse to http://vmview-lb.example.org with a web browser and the certificate is correctly displaying the generic name, when connecting with view it must return the name of the actual security server somewhere in the reply as I'm now getting the same error, certificate doesn't match, but with the generic SSL certificate not the security server.

Is there a way to have multiple certificates installed in the keystore or setup some kind of alias?

0 Kudos
markbenson
VMware Employee
VMware Employee
‎10-31-2011 04:28 PM

Are you entering http://vmview-lb.example.org at your View Client? Does this hostname match that of the SSL server certificate? If so this should work.

Mark.

0 Kudos
krag
Contributor
Contributor
‎10-31-2011 04:31 PM

Yes, I'm entering the load balancer name the view client, vmview-lb.example.org.

I can browse to https://vmview-lb.example.org fine but when connecting using the the view client something must be returning the FQDN of the security server in the reply and the SSL certificate (vmview-lb.example.org) then no longer matches the hostname (vmview-sec1.example.org).

0 Kudos
giejo
Contributor
Contributor
‎12-12-2012 03:25 AM

Hi,

i have exactly the same setup and the same problem

do you have a solution ?

my pcoip client complains about certificate that dont mach hostname

Thanks in advance

0 Kudos