Hi William, > Le 27 janv. 2020 à 16:55, Emmanuel Hocdet <m...@gandi.net> a écrit : >> >> With ‘ssl crt foo.pem chain bar.pem’, or crt-list with ‘foo.pem [chain >> bar.pem]’, >> deduplicate chain look like deduplicate ca-file. >> Find ocsp_issuer with this chain doesn’t work directly, but it seems doable. >> For CLI, reload cert when chain is updated seem also complicated, perhaps >> less problematic than others solutions. >> > > Proposal for ‘chain’ parameter: > https://github.com/ehocdet/haproxy/commits/chain > <https://github.com/ehocdet/haproxy/commits/chain> >
This approach is really too complicated to use and a source of errors. The first patch alone « issuer-path » ( move to « issuers-chain-path ») really do a better job. For the possible reload of chain certificates (as you suggested), both are equivalent in complexity. ‘set ssl issuers-chain <path> <payload>’ with « issuers-chain-path » should accept <payload> only if it's compatible with the stored issuers-chain (<path>) (via SKID) I will send a new patch for « issuers-chain-path » with corrections. ++ Manu