On Thu, Jun 01, 2023 at 03:30:36PM -0600, Shawn Heisey wrote: > On 5/31/23 23:25, Matthias Fechner wrote: > > I just saw in the release notes for 2.8 that an automatic OCSP renewal > > is now included and I would like to get rid of my manual scripts that > > are currently injecting the OCSP information. > > > > I checked a little bit the documentation here: > > https://docs.haproxy.org/2.8/configuration.html#ocsp-update > > https://docs.haproxy.org/2.8/configuration.html#5.1-crt-list > > I can't figure out where to put the option. I've tried several different > places and the config check fails every time.
So this means that the doc is still not clear enough and we need to improve this. And indeed, I'm myself confused because William told me a few days ago that "ocsp-update" was for crt-list lines only and it's found in the "bind line options" section. And of course, when there are examples, they're not the ones you're looking for, that's classical! So normally in order to enable ocsp updates you have to use "crt-list" instead of "crt", and reference your certificate(s) there, and in front of each of them you can place some options. One of them is "ocsp-update on", which will enable automatic renewal. > Upgraded from dev13 to 2.8.0 and that didn't help. > > It will be very cool for haproxy to handle ocsp renewal itself so I can > retire my script. That's exactly the goal, that for those whose load balancer has direct access to the internet (i.e. not on an internal network nor in an inbound DMZ), the renewal can be done automatically. > The doc said that it would need the issuer cert, which is included in the > file referenced by the crt option. Is that enough? At this point I don't know :-/ William and/or RĂ©mi will know better, let's wait for their complementary info if you can't sort it out with the info above. I intend to enable them soon on haproxy.org so I'm interested in configuring it as well :-) Regards, Willy
