Hi,
On Wed, Sep 20, Igor Cicimov wrote:
> I've been running haproxy with OCSP stapling for some time with a single
> ssl certificate. Now I'm trying to enable the same for multiple
> certificates but am getting an error:
>
> OCSP single response: Certificate ID does not match any certificate or
> issuer.
>
> The OCSP response itself from the provider is good:
>
> /etc/haproxy/ssl.d/${CERT}: good
> This Update: Sep 19 23:48:22 2017 GMT
> Next Update: Sep 26 23:03:22 2017 GMT
>
> for all certificates but when I try feeding the OCSP response file to the
> haproxy socket:
>
> # echo "set ssl ocsp-response $(/usr/bin/base64 -w 10000 ${CERT}.ocsp)" |
> socat stdio unix-connect:/run/haproxy/admin.sock
>
> I get the above error.
>
> As mentioned at the beginning this is working fine with single cert. Am I
> missing something or this is simply not possible?
I've multiple certs w/ocsp stapling so it should work.
Did you start haproxy with .ocsp files for all certs ?
I think I might have seen the same error if I started haproxy w/out
cert1.ocsp and then tried to update ocsp for cert1.
-Jarno
--
Jarno Huuskonen
