On 30/09/2023 09:20, Shawn Heisey wrote:
On 9/28/23 02:29, Remi Tricot-Le Breton wrote:
That's really strange, the OCSP update mechanism does not have
anything to do with proxies. Are you sure you did not have a crash
and autorestart of your haproxy ?
I did not think that I had autorestart for haproxy, but it turns out
that the service file created by the systemd stuff in the source repo
DOES have "Restart=always".
After I changed that to never and did systemctl daemon-reload, I
discovered that at the top of the hour, something caused systemd to
reload the service. From systemctl status haproxy:
Sep 30 01:00:02 smeagol haproxy[234282]: [WARNING] (234282) : Proxy
be_gitlab_8881 stopped (cumulated conns: FE: 0, BE: 0).
Sep 30 01:00:02 smeagol haproxy[234282]: [WARNING] (234282) : Proxy
be_gitlab2_8881 stopped (cumulated conns: FE: 0, BE: 0).
Sep 30 01:00:02 smeagol haproxy[234282]: [WARNING] (234282) : Proxy
be_artifactory_8082 stopped (cumulated conns: FE: 0, BE: 0).
Sep 30 01:00:02 smeagol haproxy[234282]: [WARNING] (234282) : Proxy
be_zabbix_81 stopped (cumulated conns: FE: 0, BE: 0).
Sep 30 01:00:02 smeagol haproxy[234279]: [NOTICE] (234279) : New
worker (236124) forked
Sep 30 01:00:02 smeagol haproxy[234279]: [NOTICE] (234279) : Loading
success.
Sep 30 01:00:02 smeagol systemd[1]: Reloaded HAProxy Load Balancer.
Sep 30 01:00:02 smeagol haproxy[234279]: [NOTICE] (234279) : haproxy
version is 2.8.3-0499db-3
Sep 30 01:00:02 smeagol haproxy[234279]: [NOTICE] (234279) : path to
executable is /usr/local/sbin/haproxy
Sep 30 01:00:02 smeagol haproxy[234279]: [WARNING] (234279) : Former
worker (234282) exited with code 0 (Exit)
There are no relevant systemd timers, nothing in user crontabs,
nothing in the various cron.* directories that could cause this. I did
compile haproxy with systemd support ... can haproxy itself ask
systemd for a reload?
A way to check for a possible crash in the OCSP update code would be
to use the "update ssl ocsp-response <certfile>" from the CLI as
well. It would use most of the OCSP update code so if a crash were to
happen you might see it this way.
Can you explain to me how to do this and see any output? I tried
piping the command to socat talking to the stats proxy socket, and got
no response. I think I do not know how to use socat correctly for this.
This command relies on the same task that performs the automatic update.
What it does is basically add the certificate at the top of the task's
update list and wakes it up. The update is asynchronous so we can't
return a status to the CLI command.
In order to check if the update was successful you can display the
contents of the updated OCSP response via the "show ssl ocsp-response"
command. If the response you updated is also set to be updated
automatically, you can also use the "show ssl ocsp-updates" command that
gives the update success and failure numbers as well as the last update
status for all the responses registered in the auto update list.
Rémi LB
