On 6/14/2016 10:31 AM, Thijs Kinkhorst wrote: > However, the following does not work: > 1. Start HAproxy without the .ocsp file present. > 2. Issue "set ssl ocsp-response <same base64 encoded response>" to socket. > 3. HAproxy responds with "OCSP single response: Certificate ID does not > match any certificate or issuer.", requests lack OCSP stapled.
Possible workaround: I have a script that I built that runs once an hour via cron. It handles both scenarios. The script updates the .ocsp files for all certs in its config file. If the ocsp update succeeds, a "set" command is also sent to haproxy via the socket. This means that I have up to date .ocsp files at all times. Haproxy will work properly on restart, and the socket commands keep the running process current. I *do* think that it should be possible to handle the scenario you outlined above. I'm not sure whether the current behavior is a limitation in openssl or haproxy, but I think it should be fixed. Thanks, Shawn

