Hi,
On Mon, Apr 06, Vasileios Tzimourtos wrote:
> **/usr/bin/openssl ocsp -noverify -issuer $ROOT_CERT_FILE -cert
> $SERVER_CERT_FILE -url "$OCSP_URL" -no_nonce -header Host `echo
> "$OCSP_URL" | cut -d"/" -f3` -respout $OCSP_FILE**
> **echo "set ssl ocsp-response $(/usr/bin/base64 -w 10000
> $OCSP_FILE)" | socat $HAPROXY_SOCKET stdio**
> *
Can you run openssl ocsp w/out -noverify (and maybe -VAfile) ?
So something like:
/usr/bin/openssl ocsp -issuer $ROOT_CERT_FILE \
-cert $SERVER_CERT_FILE -url "$OCSP_URL" -no_nonce \
-header Host `echo "$OCSP_URL" | cut -d"/" -f3` -respout $OCSP_FILE \
[ -VAfile $ROOT_CERT_FILE [-validity_period 300] ]
> Running the above script returns that all is OK and that ocsp
> response was updated
Do you get any messages about ocsp response if you reload haproxy/check
configuration sometime after creating the ocsp response ?
> */etc/haproxy/certs/mycertificate.crt.pem: good**
> ** This Update: Apr 6 08:28:46 2015 GMT**
> ** Next Update: Apr 6 08:33:46 2015 GMT**
> **OCSP Response updated!**
Out of curiosity which CA issues responses for only 5min ?
Haproxy defaults.h has:
#define OCSP_MAX_RESPONSE_TIME_SKEW 300
In commit 4f3c87a5d942d4d0649c35805ff4e335970b87d4 there's:
" Haproxy stops serving OCSP response if nextupdate date minus
the supported time skew (#define OCSP_MAX_RESPONSE_TIME_SKEW) is
in the past.
"
Your problem maybe be that the ocsp response is valid for 5min(300s)
Quick check to test this could be to compile haproxy with
different OCSP_MAX_RESPONSE_TIME_SKEW (< 300) ?
-Jarno
--
Jarno Huuskonen
