Hi all, First, thanks for haproxy which is really valuable to us.
I'm trying to set up HAproxy so it does OCSP stapling. This works when I create the $certname.ocsp file and reload haproxy, but I'm trying to get it to work by using the socket. The following works for me: 1. Create .ocsp file 2. Reload haproxy (requests are served with OCSP stapled) 3. Issue "set ssl ocsp-response <base64 encoded response>" to socket. 4. HAproxy responds with "OCSP Response updated!" However, the following does not work: 1. Start HAproxy without the .ocsp file present. 2. Issue "set ssl ocsp-response <same base64 encoded response>" to socket. 3. HAproxy responds with "OCSP single response: Certificate ID does not match any certificate or issuer.", requests lack OCSP stapled. So am I right to conclude that you can only use the socket based approach to update OCSP responses if one was already present on-disk previously? The source code seems to confirm this reading. If so, I'd like it to become possible, because I'd prefer to be able to set this entirely via the socket approach, and not having to special case the initial condition where the response was not present. If not, am I doing something wrong? Cheers, Thijs
