Hello,
On 07/06/2021 01:23, Shawn Heisey wrote:
On 6/5/2021 10:47 PM, Shawn Heisey wrote:
On 6/5/2021 9:30 PM, Shawn Heisey wrote:
[WARNING] (81457) : Loading: OCSP response status not successful.
Content will be ignored.
This error message happens when a call to OpenSSL's OCSP_response_status
function on your response returns anything other than
OCSP_RESPONSE_STATUS_SUCCESSFUL which means that we won't be able to
process your response.
Another self-followup: Apparently that warning also happens with
1.8.22 ... I was unaware of this, as I haven't checked the config file
manually for a very long time.
root@smeagol:/etc/haproxy# haproxy -c -f /etc/haproxy/haproxy.cfg
[WARNING] 156/172157 (328956) : Loading
'/etc/ssl/certs/local/mainwildcards.pem.ocsp': OCSP response status
not successful. Content will be ignored.
Configuration file is valid
The .ocsp file DOES contain a valid OCSP response. So ... I think I'm
probably good to proceed with the upgrade. I know that on an older
version of 1.8, no idea which one, this warning did not happen. Can
this thread serve as a possible bug report?
OCSP stapling won't work on any version that shows this warning (for
this specific response). But apart from that, everything else should
work fine, that's why you only get a warning when parsing the
configuration file. If you are positive that your OCSP response is valid
we may indeed have a bug on our side so you could open an issue on
GitHub (https://github.com/haproxy/haproxy/issues). If we were to track
a bug through the ML there is a high chance of it being lost pretty quickly.
Thanks,
Shawn
Rémi
