@list: sorry for the incorrect subject in my previous answer. At some point the subject changed when email was saved and encrypted in Drafts.
On 28/11/2018 18:59, Moemen MHEDHBI wrote: > Hi Igor, > > On 11/27/18 12:48 AM, Igor Cicimov wrote: >> Hi Moemen, >> >> On Tue, Nov 27, 2018 at 1:24 AM Moemen MHEDHBI <[email protected]> wrote: >>> On 11/14/18 1:34 AM, Igor Cicimov wrote: >>> >>> On Sun, Nov 11, 2018 at 2:48 PM Igor Cicimov >>> <[email protected]> wrote: >>>> Hi, >>>> >>>> # haproxy -v >>>> HA-Proxy version 1.8.14-1ppa1~xenial 2018/09/23 >>>> Copyright 2000-2018 Willy Tarreau <[email protected]> >>>> >>>> I noticed that in case of multiple domains and OCSP setup: >>>> >>>> # ls -1 /etc/haproxy/ssl.d/*.ocsp >>>> /etc/haproxy/ssl.d/star_domain2_com.crt.ocsp >>>> /etc/haproxy/ssl.d/star_domain_com.crt.ocsp >>>> /etc/haproxy/ssl.d/star_domain3_com.crt.ocsp >>>> /etc/haproxy/ssl.d/star_domain4_com.crt.ocsp >>>> >>>> I get OCSP response from haproxy only for one of the domains >>>> domain.com. Tested via: >>>> >>>> $ echo | openssl s_client -connect domain[234].com:443 -tlsextdebug >>>> -status -servername domain[234].com >>>> >>>> Is this expected? >>> Any comments/ideas regarding this? Further noticed that OCSP code probably >>> does not check the certificates SANs and matches only based on the CN in >>> the subject since the calls to whatever.domain.tld get stapled but to >>> domain.tld do not. >>> >>> Hi Igor, >>> >>> Testing OCSP on multiple certificates with different domains (based on the >>> CN) works correctly for me. (a.domain.com, b.domain.com, c.domain.com) >>> >>> Are you using multiple certs with same CN but different SANs ? >> The certificates belong to completely separate domains, so not >> subdomains of the same domain like in your case. They are also >> wildcard certs so here is the layout: >> >> # ls -1 /etc/haproxy/ssl.d/ >> star_domain1_com.crt >> star_domain1_com.crt.ocsp >> star_domain2_com.crt >> star_domain2_com.crt.ocsp >> star_domain3_com.crt >> star_domain3_com.crt.ocsp >> >> # for i in `ls -1 /etc/haproxy/ssl.d/*.crt`; do openssl x509 -noout >> -subject -in $i; done >> subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com >> subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain2.com >> subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain3.com >> >> The SAN only contains the certificates domain and nothing else, for >> example for domain3.com: >> >> X509v3 Subject Alternative Name: >> DNS:*.domain3.com, DNS:domain3.com >> >> The haproxy bind line in the frontend looks like: >> >> bind *:443 ssl crt /etc/haproxy/ssl.d/ ... >> >> And here is the output of the daily cronjob that updates the OCSP for >> haproxy: >> >> Date: Mon, 26 Nov 2018 05:00:01 +0000 (GMT) >> >> /etc/haproxy/ssl.d/star_domain1_com.crt: good >> This Update: Nov 25 17:39:11 2018 GMT >> Next Update: Dec 2 16:54:11 2018 GMT >> OCSP Response updated! >> /etc/haproxy/ssl.d/star_domain2_com.crt: good >> This Update: Nov 24 20:49:57 2018 GMT >> Next Update: Dec 1 20:04:57 2018 GMT >> OCSP Response updated! >> /etc/haproxy/ssl.d/star_domain3_com.crt: good >> This Update: Nov 25 14:09:00 2018 GMT >> Next Update: Dec 2 13:24:00 2018 GMT >> OCSP Response updated! >> >> I can confirm this is working as intended on other serves I have with >> 1.7.11 and 1.8.14, so it must be something specific to this one that I >> struggle to understand (to be even more confusing it is all being >> setup by Ansible in same way as everywhere else). >> >> Under what circumstances would a setup like this not work in terms of >> OCSP? Example: >> >> $ echo | openssl s_client -connect server:443 -tlsextdebug -status >> -servername domain1.com | grep -E 'OCSP|domain1' >> depth=0 C = AU, ST = New South Wales, L = Sydney, O = My Company, CN = >> *.domain1.com >> verify return:1 >> DONE >> OCSP response: no response sent >> 0 s:/C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com >> subject=/C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com >> >> Thanks for your input by the way, very much appreciated. > > If I am understanding this correctly when you use the naked domain > 'domain1.com', you don't get an OCSP response (despite mentioning the > domain in the SAN extension). > > Is this the case for all the domains or only one of them ? I am asking > this since you're mentioning multiple domains. > > I was testing the same config with HA-Proxy version 1.8.14 2018/09/20 > without being able to reproduce this. > > $ echo quit | openssl s_client -connect localhost:443 -servername > 'example.org' -status | egrep 'OCSP|example' > OCSP response: > OCSP Response Data: > OCSP Response Status: successful (0x0) > Response Type: Basic OCSP Response > OCSP Nonce: > subject=/C=FR/ST=PARIS/O=MMH/OU=server/CN=*.example.org > > I only get " no response sent" when the "naked" domain is not mentioned > in the SAN which is expected. > > >> I can confirm this is working as intended on other serves I have with >> 1.7.11 and 1.8.14, so it must be something specific to this one that I >> struggle to understand (to be even more confusing it is all being >> setup by Ansible in same way as everywhere else). > Ok so no surprise that I cannot reproduce this since I am using 1.8.14 > (latest release of the 1.8 branch) and your confirm that you don't have > issues with this version, but rather with the 1.8.14-1ppa1~xenial > version (from Vincent Bernat PPA I suppose). What is strange is that I > am expecting 1.8.14-1ppa1~xenial to be the same as HA-Proxy version > 1.8.14 2018/09/20. I will double check though and get back to you. > > Regards, > -- Moemen MHEDHBI

