On 6/1/23 15:42, Willy Tarreau wrote:
So this means that the doc is still not clear enough and we need to
improve this. And indeed, I'm myself confused because William told me
a few days ago that "ocsp-update" was for crt-list lines only and it's
found in the "bind line options" section. And of course, when there are
examples, they're not the ones you're looking for, that's classical!
I looked at the 2.8.0 documentation for crt-list and it was not very
clear what to actually put in the config to use it.
I asked ChatGPT for help, and with that info, I was able to work out
what to do.
-
elyograg@smeagol:/etc/haproxy$ cat crt-list.txt
/etc/ssl/certs/local/REDACTED1.combined.pem [ocsp-update on]
/etc/ssl/certs/local/REDACTED2.combined.pem [ocsp-update on]
-
I commented the crontab entry that was handling ocsp renewal, deleted
the *.ocsp files from the certificate location, restarted haproxy, and
did a fresh Qualys SSL test. That test indicated that it is still
stapling OCSP.
Awesome new feature!
Thanks,
Shawn