Il 2021-11-05 13:11 Marco Corte ha scritto:
Hi all.
I have a bind section that contains
... ssl crt ZZZ.pem ...
where ZZZ.pem is actually a full path.
If I upload a new certificate/key to ZZZ.pem and a corresponding OCSP
response to ZZZ.pem.ocsp and do a
----
# systemctl reload haproxy.service
----
then the certificate and the OCSP stapling are correct.
Moreover I can update the OCSP, when needed
----
# printf "set ssl ocsp-response <<\n$(base64 ZZZ.pem.ocsp)\n\n" |
socat /run/haproxy/admin.sock stdio
OCSP Response updated!
----
If, after updating the files, I use the following procedure, I am not
able to update the OCSP response
----
# printf "set ssl cert ZZZ.pem <<\n$(cat ZZZ.pem\n\ncommit ssl cert
ZZZ.pem\n" | socat /run/haproxy/admin.sock stdio
Transaction created for certificate ZZZ.pem!
Committing ZZZ.pem..
Success!
# printf "set ssl ocsp-response <<\n$(base64 ZZZ.pem.ocsp)\n\n" |
socat /run/haproxy/admin.sock stdio
OCSP single response: Certificate ID does not match any certificate or
issuer.
----
Since the two files ZZZ.pem and ZZZ.pem.ocsp are always the same, I
suspect that I am doing something wrong.
Am I skipping any step?
Thank you
Ciao!
.marcoc
Please note that I may have messed up with some commands while
anonymizing them in this email.
I forgot to mention the version: haproxy v2.4.8 on Ubuntu 18.04