Hello William,
Thank you for your quick reply. You're right, it works flawlessly
after adding it to a crt-list, as Bjoern also mentioned.
After reading the documentation, I was under the impression the
crt-list didn't support folders (although folder support is mentioned
there), mainly because I was trying to add "/etc/haproxy/ssl/" <- with
the trailing slash and always ended up in an error:
------------------------------------------------------[Start]------------------------------------------------------
]# echo "add ssl crt-list /etc/haproxy/ssl/
/etc/haproxy/ssl/bar.com.pem" | socat /tmp/stats stdio
Can't edit the crt-list: crt-list '/etc/haproxy/ssl/' does not exist!
------------------------------------------------------[End]------------------------------------------------------
After reading your reply, I tried removing the trailing slash,
just like it was specified in the config file, and it worked. In my
mind the logic was "the trailing slash is what makes it consider the
path as a folder instead of a file" and stuck to that.
Thank you for your help and replies, this is a very interesting
approach to loading/unloading certificates without the need to restart
the instance.
Regards,
-tbn
On Wed, Jun 17, 2020 at 4:34 PM bjun...@gmail.com <bjun...@gmail.com> wrote:
>
> Am Mittwoch, 17. Juni 2020 schrieb William Lallemand <wlallem...@haproxy.com>:
>>
>> Hello,
>>
>> On Wed, Jun 17, 2020 at 03:28:19PM +0300, tbn wrote:
>> > Hello list,
>> >
>> > I saw William Lallemand's announcement regarding the possibility of
>> > loading dynamic ssl certificates right here
>> > https://www.mail-archive.com/haproxy@formilux.org/msg36927.html and
>> > the idea of having so much control over the haproxy instance was
>> > intriguing.
>> >
>> > I've set up a test instance of the latest 2.2-dev9 to test out this
>> > feature and I seem to have hit a bump in the road. I am an usure if I
>> > misunderstood what was supposed to happen, or if I've stumbled across
>> > a bug. In my configuration file, I'm instructing haproxy to load all
>> > existing certificates from a folder and I'm trying to load a new
>> > certificate using the new "new ssl cert/add ssl cert/commit ssl cert"
>> > commands through the haproxy socket. The domain with the certificate
>> > loaded manually seems to have SNI problems until haproxy is restarted
>> > and the certificate is read from the crt folder.
>> >
>> > I'm using foo.com and bar.com as example domains. The one that
>> > haproxy loads from the folder is generated and self-signed (foo.com),
>> > while the one I'm trying to load is valid and issued by let's encrypt
>> > (bar.com).
>> >
>> > I've used a slight variation of the config file found in
>> > reg-tests/ssl/set_ssl_cert.vtc as follows:
>> > ------------------------------------------------------[Start]------------------------------------------------------
>> > global
>> > maxconn 4096
>> > user root
>> > group root
>> > daemon
>> > log 127.0.0.1 local0 debug
>> > stats socket "/tmp/stats" level admin
>> >
>> > # Default SSL material locations
>> > ca-base /etc/ssl/certs
>> > crt-base /etc/ssl/private
>> >
>> > tune.ssl.default-dh-param 2048
>> >
>> > defaults
>> > log global
>> > mode http
>> > option httplog
>> > option dontlognull
>> > retries 3
>> > option redispatch
>> > option http-server-close
>> > option forwardfor
>> > timeout connect 5000
>> > timeout client 50000
>> > timeout server 50000
>> >
>> >
>> > listen https-in
>> > bind :443 transparent ssl strict-sni crt /etc/haproxy/ssl alpn
>> > h2,http/1.1
>> > default_backend something
>> >
>> > backend something
>> > mode http
>> > server web 192.168.1.144:80 check
>> > ------------------------------------------------------[End]------------------------------------------------------
>> >
>> > Haproxy starts succesfully and the pre-existing certificate in the
>> > /etc/haproxy/ssl is present and loaded:
>> >
>> > ------------------------------------------------------[Start]------------------------------------------------------
>> > ]# haproxy -d -f /etc/haproxy/haproxy.cfg
>> > Available polling systems :
>> > epoll : pref=300, test result OK
>> > poll : pref=200, test result OK
>> > select : pref=150, test result FAILED
>> > Total: 3 (2 usable), will use epoll.
>> >
>> > Available filters :
>> > [SPOE] spoe
>> > [COMP] compression
>> > [TRACE] trace
>> > [CACHE] cache
>> > [FCGI] fcgi-app
>> > Using epoll() as the polling mechanism.
>> > ------------------------------------------------------[Middle]------------------------------------------------------
>> > ]# echo -e "show ssl cert" | socat /tmp/stats stdio
>> > # filename
>> > /etc/haproxy/ssl/foo.com.pem
>> >
>> > ]# echo -e "show ssl cert /etc/haproxy/ssl/foo.com.pem" | socat /tmp/stats
>> > stdio
>> > Filename: /etc/haproxy/ssl/foo.com.pem
>> > *Status: Used*
>> > Serial: DA0AD0EC8F6C0C30
>> > notBefore: Nov 8 15:31:08 2019 GMT
>> > notAfter: Dec 8 15:31:08 2019 GMT
>> > Subject Alternative Name:
>> > Algorithm: RSA2048
>> > SHA1 FingerPrint: 81D4AF40722F5F7C704E3327C5695F78DA6DC1E0
>> > Subject:
>> > /C=RO/ST=SomeState/L=Locality/O=OrganizationalOrg/OU=OrzanizatoricUnit/CN=foo.pem
>> > Issuer:
>> > /C=RO/ST=SomeState/L=Locality/O=OrganizationalOrg/OU=OrzanizatoricUnit/CN=foo.pem
>> > ------------------------------------------------------[End]------------------------------------------------------
>> > Certificate status is "Used", browser loads "foo.com" with the proper
>> > certificate"
>> >
>> > Next I've tried inserting "bar.com" into a running haproxy:
>> > ------------------------------------------------------[Start]------------------------------------------------------
>> > ]# cat /root/certificates/bar.com/fullchain.pem
>> > /root/certificates/bar.com/privkey.pem | sed '/^$/d' >
>> > /etc/haproxy/ssl/bar.com.pem
>> > ]# echo -e "new ssl cert /etc/haproxy/ssl/bar.com.pem" | socat /tmp/stats
>> > stdio
>> > New empty certificate store '/etc/haproxy/ssl/bar.com.pem'!
>> >
>> > # echo -e "set ssl cert /etc/haproxy/ssl/bar.com.pem <<\n$(cat
>> > /etc/haproxy/ssl/bar.com.pem)\n" | socat /tmp/stats stdio
>> > Transaction created for certificate /etc/haproxy/ssl/bar.com.pem!
>> >
>> > ]# echo -e "commit ssl cert /etc/haproxy/ssl/bar.com.pem" | socat
>> > /tmp/stats stdio
>> > Committing /etc/haproxy/ssl/bar.com.pem
>> > Success!
>> > ------------------------------------------------------[End]------------------------------------------------------
>> >
>> > Everything seems to have worked successfully, although the certificate
>> > shows up as "Unused":
>> > ------------------------------------------------------[Start]------------------------------------------------------
>> > ]# echo -e "show ssl cert /etc/haproxy/ssl/bar.com.pem" | socat /tmp/stats
>> > stdio
>> > Filename: /etc/haproxy/ssl/bar.com.pem
>> > *Status: Unused*
>> > Serial: 0315D3DD8EAB437293870474AB2B7055699B
>> > notBefore: Jun 16 20:30:03 2020 GMT
>> > notAfter: Sep 14 20:30:03 2020 GMT
>> > Subject Alternative Name: DNS:*.bar.com, DNS:bar.com
>> > Algorithm: RSA2048
>> > SHA1 FingerPrint: 5AEECEA0218C07B8D9E4D1B248FB1614C32B79DE
>> > Subject: /CN=bar.com
>> > Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>> > Chain Subject: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>> > Chain Issuer: /O=Digital Signature Trust Co./CN=DST Root CA X3
>> > ------------------------------------------------------[End]------------------------------------------------------
>> >
>>
>> With these commands you created a certificate storage, but the
>> certificate is unused because it is not associated with any bind
>> line. To do so, you should add your certificate to a crt-list or a
>> directory.
>>
>> In your configuration file, "/etc/haproxy/ssl/" is the directory
>> associated to your bind line. To associate this file to your directory
>> you must do:
>> "add ssl crt-list /etc/haproxy/ssl/ /etc/haproxy/ssl/bar.com.pem"
>>
>> as documented here:
>>
>> https://cbonte.github.io/haproxy-dconv/2.2/management.html#add%20ssl%20crt-list
>>
>> Regards,
>>
>> --
>> William Lallemand
>>
>
> Hi,
>
> i'm also testing this feature at the moment and can confirm it works
> flawlessly.
>
> This feature greatly simplifies my setup, thanks William!
>
> Best regards,
> Bjoern
