Hello Tristan,
On 06/07/2023 13:24, Tristan wrote:
Hello,
I'm trying to make use of the new ocsp-update mechanism, and finding
no success (yet).
I've migrated my crt bind arguments to a crt-list argument (+ relevant
file) and that loads in and gets used fine, but despite having
"ocsp-update on" on the lines, I'm not seeing any ocsp update being
triggered (and naturally there are no ocsp responses being returned).
Relevant outputs:
$ echo "show ssl crt-list" | socat - /var/run/haproxy/admin.sock
/etc/haproxy/ssl/crtlist-mdex-public-direct.conf
...
$ echo "show ssl crt-list
/etc/haproxy/ssl/crtlist-mdex-public-direct.conf" | socat -
/var/run/haproxy/admin.sock
/etc/haproxy/ssl/mangadex.dev.pem ocsp-update on mangadex.dev
*.mangadex.dev
The ocsp-update option should be between brackets
/etc/haproxy/ssl/mangadex.dev.pem [ocsp-update on] mangadex.dev
*.mangadex.dev
$ echo "show ssl ocsp-updates" | socat - /var/run/haproxy/admin.sock
OCSP Certid | Path | Next Update | Last Update | Successes | Failures
| Last Update Status | Last Update Status (str)
One potential hint I find is when using "update ssl ocsp-response
<certfile>":
$ echo "update ssl ocsp-response /etc/haproxy/ssl/mangadex.dev.pem" |
socat - /var/run/haproxy/admin.sock
'update ssl ocsp-response' only works on certificates that already
have a known OCSP response.
Can't send ocsp request for /etc/haproxy/ssl/mangadex.dev.pem!
And indeed, the (cli command) docs mention:
> This command will only work for certificates
that already had a stored OCSP response, either because it was provided
during init or if it was previously set through the "set ssl cert" or
"set
ssl ocsp-response" commands
So then:
- does the ocsp-update feature also require an initial OCSP response
to start at all, like the cli command?
No, it will try to get the missing OCSP update responses right after init.
- if so, why? (and we should get that documented on the ocsp-update flag)
- does the OCSP update mechanism update the files on-disk?
No we never write anything on disk.
- if not, what happens if upon restart/reload of HAProxy the .ocsp
file is outdated? will HAProxy aggressively try to get an up-to-date
response before starting its listeners or will I be risking ssl issues
by enabling OCSP must-staple with it?
The OCSP update mechanism will not block anything, it runs alongside all
the "regular" HAProxy tasks.
If I remember correctly, you cannot load outdated OCSP responses so you
should not face this particular problem. But if you have many
certificates for which OCSP update was activated and no OCSP response
was provided, fetching all the missing responses will indeed take some
time and OCSP stapling will temporarily fail for the given server
certificates.
Please note that the 'show ssl ocsp-response' can now dump an OCSP
response in base64 so that you can write the update OCSP responses to
your filesystem by yourself.
(Probably not super relevant, but this is with HAProxy 2.8.1 and
QuicTLS 1.1.1t)
Thanks in advance,
Tristan
RĂ©mi
