Hi Lukas, frontend cluster:443 bind 1.2.3.4:443 ssl strict-sni crt /home/provisionning/0.pem crt /home/provisionning/cluster.d default_backend cluster capture request header Host len 255
--- HA-Proxy version 1.5.8 2014/10/31 Copyright 2000-2014 Willy Tarreau <w...@1wt.eu> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.30 2012-02-04 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. --- If ocsp file is too old or empty for example, i got warning. Regards, On Fri, 17 Jul 2015 21:50:34 +0200, Lukas Tribus <luky...@hotmail.com> wrote : > Hi Marc, > > > > > Hi all, > > > > I have some problem making ocsp stapling working. here is what i did : > > > > I have 8150.pem with chain, cert and key in it. > > > > I have 8150.pem.ocsp that seems ok : > > > > # openssl ocsp -respin 8150.pem.ocsp -text -CAfile alphassl256.chain > > OCSP Response Data: > > OCSP Response Status: successful (0x0) > > Response Type: Basic OCSP Response > > Version: 1 (0x0) > > Responder Id: 9F10D9EDA5260B71A677124526751E17DC85A62F > > Produced At: Jul 9 09:47:04 2015 GMT > > Responses: > > Certificate ID: > > Hash Algorithm: sha1 > > Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761 > > Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7 > > Serial Number: 11216784E7CA1813F3AD922B60EAF6428EE0 > > Cert Status: good > > This Update: Jul 9 09:47:04 2015 GMT > > Next Update: Jul 9 21:47:04 2015 GMT > > > > No error/warn at haproxy launching but not sure haproxy is loading .ocsp > > file because no notice in log. > > > > But nothing in tlsextdebug : > > > > echo Q | openssl s_client -connect www.beluc.fr:443 -servername > > www.beluc.fr -tlsextdebug -status -CApath /etc/ssl/certs > > [...] > > OCSP response: no response sent > > [...] > > > > Do you see smth wrong ? What can i do in order to debug? > > Can you provide the output of "haproxy -vv" please and a > config snippet (the frontend ssl configuration)? > > Do you see a warning if 8150.pem.ocsp contains garbage when you restart > haproxy? > > > > Regards, > > Lukas > > > -- Marc-Antoine