Hi,
I think we will probably need more information in the "show ssl cert" output in the future so the users can debug this kind of feature easily.
Yes. Show the chain-filename would be very helpful.For that i think a good way would be to keep ckch->chain and ckch->issuerwith value (or NULL) from PEM/<payload>, and resolve chain and ocsp_issuerwhen needed. « show ssl cert » will be able to find the origin of chain (and ocsp_issuer)without store a new state. The drawback(?) is that .issuer file will be loaded, in every case, if present.
Patch series to do that:
example: Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Chain filename: /etc/haproxy/issuers/letsencryptEC.pem
++ Manu
|
0001-MINOR-ssl-move-find-certificate-chain-code-to-its-ow.patch
Description: Binary data
0002-MINOR-ssl-resolve-issuers-chain-later.patch
Description: Binary data
0003-MINOR-ssl-resolve-ocsp_issuer-later.patch
Description: Binary data
0004-MINOR-ssl-show-ssl-cert-command-should-print-the-Cha.patch
Description: Binary data