On Sat, Dec 05, 2020 at 02:57:03AM +0100, Björn Jacke wrote: > Hi, > > I ran into an issue with haproxy 2.2.6, where I'm not sure if this is > working as intended or not. I have a frontend, which has a ssl cert > configured in a combined pam file, containing the private, public and > intermediate certificate. The bind line looks like this: > > bind 203.0.113.1 ssl crt /certs/host.example.org/combined.pem.rsa ... > > If I renew the certificate, it works as also shown in > > https://www.haproxy.com/blog/dynamic-ssl-certificate-storage-in-haproxy/ > > via > > echo "set ssl cert ${DIRNAME}/combined.pem.rsa" | socat ... > > Everything worked fine since quite a while ... > > until now the issuing intermediate certificate changed. I would expect > that above mentioned "set ssl cert combined.pem.rsa" would also update > the intermediate certificate - but the *previous* intermediate is still > being used by haproxy. I noticed this actually only because the "set ssl > ocsp-response" returned "Certificate ID does not match any certificate > or issuer". It took me quite a while to spot that the intermediate was > not updated. > > So the final question is, is this a bug or is the intermediate not > supposed to be updated along with the combined.pem but differently? A > reload or restart of haproxy will activate the new intermediate > certificate of course. >
Looks like a bug to me, the intermediate certificate is indeed supposed to be updated, I'll look into this. -- William Lallemand