Hi Tim, > Le 23 janv. 2020 à 17:21, Tim Düsterhus <t...@bastelstu.be> a écrit : > > Manu, > > Am 21.01.20 um 12:42 schrieb Emmanuel Hocdet: >> Patches updated, depend on "[PATCH] BUG/MINOR: ssl: >> ssl_sock_load_pem_into_ckch is not consistent" > > Out of curiosity: > >> +issuer-path <dir> >> + Assigns a directory to load certificate chain for issuer completion. All >> + files must be in PEM format. For certificates loaded with "crt" or >> "crt-list", >> + if certificate chain is not included in PEM (also commonly known as >> intermediate >> + certificate), haproxy will complete chain if issuer match the first >> certificate >> + of the chain loaded with "issuer-path". "issuer-path" directive can be set >> + several times. > > Will HAProxy complete the chain if multiple intermediate certificates > are required? >
Patch don’t do that. > Consider this: > > Root CA -> Intermediate CA -> Intermediate CB -> End Certificate > Usually, Root CA should not be include in the chain. > I configure `issuer-path` to a directory that contains the following > certificates: > > - Root CA > - Intermediate CA > - Intermediate CB > You should have a file with: - intermediate CB + intermediate CA > Then I configure a `crt` pointing to a file containing only the End > Certificate. > > What will HAProxy send to the client? > End Certificate + intermediate CB + intermediate CA The same as if you have crt with End Certificate + intermediate CB + intermediate CA ++ Manu