Hi Shawn, See the note at the end of http://docs.haproxy.org/2.8/configuration.html#5.1-ocsp-update
Specifically: > A common error that can happen with let's encrypt certificates is if the DNS resolution provides an IPv6 address and your system does not have a valid outgoing IPv6 route. In such a case, you can either create the appropriate route or set the "httpclient.resolvers.prefer ipv4" option in the global section. Hopefully fixes your issue, as it did when I had the same issue. Tristan ps: I hope this message doesn't get sent as html, since I'm writing from my phone... apologies if it ends up doing so > On 16 Aug 2023, at 01:37, Shawn Heisey <[email protected]> wrote: > > I've got another haproxy install on which I am trying to enable automatic > OCSP updating. The ones I asked about before are personal, this one is for > work. > > When haproxy looks up the host where it can get OCSP responses, it is getting > an ipv6 address. > > Aug 15 18:27:30 - haproxy[11234] -:- [15/Aug/2023:18:27:30.103] <OCSP-UPDATE> > /etc/ssl/certs/local/imat_us.wildcards.combined.pem 2 "HTTP error" 1 0 > Aug 15 18:27:30 - haproxy[11234] -:- [15/Aug/2023:18:27:30.104] <OCSP-UPDATE> > -/- 48/0/-1/-1/46 503 217 - - SC-- 0/0/0/0/3 0/0 > {2600:1405:7400:13::17de:1b94} "GET > http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgRA%2BzJf7gt%2BI21Isq6Sy8pDxg%3D%3D > HTTP/1.1" > > If I try the URL in the second log line with curl, I get the proper response. > The curl program is getting an ipv4 address. > > I thought it might be doing this because the machine did have an ipv6 local > link address, so I completely disabled ipv6 with the grub commandline and > rebooted. Now there is no ipv6 address, but haproxy is still getting an ipv6 > address for r3.o.lencr.org. > > I couldn't locate any config for haproxy that would disable ipv6. Is there a > way to fix this problem? > > HAProxy version 2.8.2 2023/08/09 - https://haproxy.org/ > Status: long-term supported branch - will stop receiving fixes around Q2 2028. > Known bugs: http://www.haproxy.org/bugs/bugs-2.8.2.html > Running on: Linux 4.18.0-477.21.1.el8_8.x86_64 #1 SMP Thu Aug 10 13:51:50 EDT > 2023 x86_64 > Build options : > TARGET = linux-glibc > CPU = native > CC = cc > CFLAGS = -O2 -march=native -g -Wall -Wextra -Wundef > -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits > -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond > -Wnull-dereference -fwrapv -Wno-address-of-packed-member -Wno-unused-label > -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered > -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int > -Wno-atomic-alignment > OPTIONS = USE_OPENSSL=1 USE_ZLIB=1 USE_SYSTEMD=1 USE_QUIC=1 USE_PCRE2_JIT=1 > DEBUG = > > Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY > +CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE > -LIBATOMIC +LIBCRYPT +LINUX_SPLICE +LINUX_TPROXY -LUA -MATH -MEMORY_PROFILING > +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_WOLFSSL -OT -PCRE +PCRE2 > +PCRE2_JIT -PCRE_JIT +POLL +PRCTL -PROCCTL -PROMEX -PTHREAD_EMULATION +QUIC > +RT +SHM_OPEN -SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 +SYSTEMD +TFO +THREAD > +THREAD_DUMP +TPROXY -WURFL +ZLIB > > Default settings : > bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 > > Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, > default=4). > Built with OpenSSL version : OpenSSL 3.1.2+quic 1 Aug 2023 > Running on OpenSSL version : OpenSSL 3.1.2+quic 1 Aug 2023 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 > OpenSSL providers loaded : default > Built with network namespace support. > Built with zlib version : 1.2.11 > Running on zlib version : 1.2.11 > Compression algorithms supported : identity("identity"), deflate("deflate"), > raw-deflate("deflate"), gzip("gzip") > Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT > IP_FREEBIND > Built with PCRE2 version : 10.32 2018-09-10 > PCRE2 library supports JIT : yes > Encrypted password support via crypt(3): yes > Built with gcc compiler version 8.5.0 20210514 (Red Hat 8.5.0-18) > > Available polling systems : > epoll : pref=300, test result OK > poll : pref=200, test result OK > select : pref=150, test result OK > Total: 3 (3 usable), will use epoll. > > Available multiplexer protocols : > (protocols marked as <default> cannot be specified using 'proto' keyword) > quic : mode=HTTP side=FE mux=QUIC flags=HTX|NO_UPG|FRAMED > h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|HOL_RISK|NO_UPG > fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG > <default> : mode=HTTP side=FE|BE mux=H1 flags=HTX > h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG > <default> : mode=TCP side=FE|BE mux=PASS flags= > none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG > > Available services : none > > Available filters : > [BWLIM] bwlim-in > [BWLIM] bwlim-out > [CACHE] cache > [COMP] compression > [FCGI] fcgi-app > [SPOE] spoe > [TRACE] trace > >
