On Wed, Sep 20, 2017 at 4:00 PM, Jarno Huuskonen <[email protected]>
wrote:
> Hi,
>
> On Wed, Sep 20, Igor Cicimov wrote:
> > I've been running haproxy with OCSP stapling for some time with a single
> > ssl certificate. Now I'm trying to enable the same for multiple
> > certificates but am getting an error:
> >
> > OCSP single response: Certificate ID does not match any certificate or
> > issuer.
> >
> > The OCSP response itself from the provider is good:
> >
> > /etc/haproxy/ssl.d/${CERT}: good
> > This Update: Sep 19 23:48:22 2017 GMT
> > Next Update: Sep 26 23:03:22 2017 GMT
> >
> > for all certificates but when I try feeding the OCSP response file to the
> > haproxy socket:
> >
> > # echo "set ssl ocsp-response $(/usr/bin/base64 -w 10000 ${CERT}.ocsp)" |
> > socat stdio unix-connect:/run/haproxy/admin.sock
> >
> > I get the above error.
> >
> > As mentioned at the beginning this is working fine with single cert. Am I
> > missing something or this is simply not possible?
>
> I've multiple certs w/ocsp stapling so it should work.
>
> Did you start haproxy with .ocsp files for all certs ?
>
> I think I might have seen the same error if I started haproxy w/out
> cert1.ocsp and then tried to update ocsp for cert1.
>
> -Jarno
>
> --
> Jarno Huuskonen
>
Yep, thanks Jarno, I went and found my notes on ocsp and realised that's
what I was missing.
