Hi Willy, Emeric Can you consider this patch? I think it’s safe and it not depend on any openssl version. (It’s possible since patch f6b37c67)
++ Manu > Le 16 juin 2017 à 10:48, Emmanuel Hocdet <[email protected]> a écrit : > >> Le 15 juin 2017 à 16:42, Simos Xenitellis <[email protected]> a >> écrit : >> >> On Mon, Jun 12, 2017 at 5:21 PM, Emmanuel Hocdet <[email protected]> wrote: >>> In haproxy 1.8dev, default certificate can now be optional. >>> This patch allow that. >>> >> >> Thanks Manu for looking into this. >> >> Here is my use-case: >> >> 1. A "frontend" would bind on port 80 and then look whether a request >> is from Letsencrypt (URL: ~/.well-known/..). That is, an "http-01" >> challenge request. >> If so, it would forward the connection to a backend that deals with >> certificates (that backend initiated this request in the first place). >> If it is not an "http-01" challenge request, then it would redirect to https. >> >> 2. Another frontend would bind to port 443, and the "bind" line would >> have a new keyword like "disable-if-no-certs". >> If there are no certs yet installed, haproxy would cancel out the >> whole frontend for port 443 and would not bind port 443. >> >> >> Ideally, this would be implemented cleanly if there was a way to simply >> specify >> >> use_frontend myhttps if { ssl_certs_exist } >> >> Also, we could then specify to redirect to https (first frontend >> earlier ) if { ssl_certs_exist }. >> > > with this patch you will not need such complicated needs. > just do: > bind :443 ssl strict-sni crt /my/cert/directory/ > > without this patch you need to have at least one certificate (fake or not) > >> >> For this to work, it would require: >> >> 1. Addition of keyboard "use_frontend", just like "use_backend" exists. >> 2. HAProxy should set "ssl_certs_exist" when it loads up, depending on >> whether certificates have been found or not. >> >> Simos >> >> >>> >>>> Le 29 mai 2017 à 11:09, Emmanuel Hocdet <[email protected]> a écrit : >>>> >>>> >>>> Hi Simos, >>>> >>>> The workaround is to have a default (fake) certificat in first and use « >>>> strict-sni » parameter. >>>> >>>> Manu >>>> >>>>> Le 22 mai 2017 à 10:28, Simos Xenitellis <[email protected]> a >>>>> écrit : >>>>> >>>>> Hi All, >>>>> >>>>> I am trying to automate some tasks with adding multiple https >>>>> (LetsEncrypt) websites, >>>>> and using HAProxy as a TLS Termination Proxy. >>>>> >>>>> The problem is that when you start off with an empty server, there are >>>>> no certificates yet, >>>>> and it is not possible to have "bind *:443 ssl crt >>>>> /etc/haproxy/certs/..." in haproxy.cfg. >>>>> >>>>> LetsEncrypt can work with http, so it could easily use the "bind *:80" >>>>> front-end in the beginning. >>>>> >>>>> Is there a way to express "If no certificates are found in >>>>> /etc/haproxy/certs/, then do not bind *:443"? >>>>> >>>>> Simos >>>>> >>>> >>> >>> >
