On 04/10/2023 03:05, Shawn Heisey wrote:
On 10/3/23 01:33, Remi Tricot-Le Breton wrote:
This command relies on the same task that performs the automatic
update. What it does is basically add the certificate at the top of
the task's update list and wakes it up. The update is asynchronous so
we can't return a status to the CLI command.
In order to check if the update was successful you can display the
contents of the updated OCSP response via the "show ssl
ocsp-response" command. If the response you updated is also set to be
updated automatically, you can also use the "show ssl ocsp-updates"
command that gives the update success and failure numbers as well as
the last update status for all the responses registered in the auto
update list.
I have no idea how to get an interactive session going on the stats
socket so that I can see whatever response a command generates. The
only command I know for the socket is for the old-style OCSP update
where the OCSP response is obtained with openssl, converted to base64,
and sent to the socket. No response comes back when using socat in
this way.
You just have to run the following commands :
$ echo "update ssl ocsp-response <path_to_cert>" | socat
/path_to_socket/haproxy.sock -
This command does not return anything (which is normal because the
update will be performed asynchronously). You could see some log lines
being emitted by your haproxy (depending on your log configuration) such
as the following :
<134>Oct 4 13:28:49 haproxy[14955]: -:- [04/Oct/2023:13:28:49.910]
<OCSP-UPDATE> /path_to_cert/server_ocsp.pem.rsa 1 "Update successful" 0 1
You can then either check the contents of your OCSP response :
$ echo "show ssl ocsp-response <path_to_cert>" | socat
/path_to_socket/haproxy.sock -
or, if your tested OCSP response had the 'ocsp-update' option set to
'on', you could dump the contents of the update tree thanks to the "echo
ssl ocsp-updates" command:
$ echo "show ssl ocsp-updates" | socat /tmp/haproxy.sock -
OCSP Certid | Path | Next Update | Last Update | Successes | Failures |
Last Update Status | Last Update Status (str)
303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015
| /path_to_cert/server_ocsp.pem.rsa | 04/Oct/2023:14:28:49 +0200 |
04/Oct/2023:13:28:49 +0200 | 1 | 0 | 1 | Update successful
The "Successes" and "Failures" counters should change when you call the
"update ssl ocsp-response" CLI command.
Here is my old script for OCSP updates, which I stopped using once I
learned how to set up haproxy to do it automatically:
https://paste.elyograg.org/view/5e88c914
Rémi LB
