On Fri, Jun 02, 2023 at 01:29:31PM +0300, Matthias Fechner wrote: > Am 02.06.2023 um 04:13 schrieb Shawn Heisey: > > @Matthias I have no idea whether crt-list can load all certs in a > > directory like crt can. If it can't, then you will probably need a > > script for starting/restarting haproxy that generates the cert list > > file. If you wantthat script to be automatically run whenever someone > > does `systemctl restart haproxy`, you could use the ExecStartPre and > > ExecReloadPre options in a systemd service file to run your script. > > > > My certificate files contain the server cert, the issuer cert, the > > private key, and DH PARAMETERS that are unique to that cert. > > maybe adding a global configuration parameter to enable ocsp retrieval for > all certificates?
Initially during the design phase we thought about having 3 states: "off", "on", "auto", with the last one only enabling updates for certs that already had a .ocsp file. But along discussions with some users we were told that it was not going to be that convenient (I don't remember why, but I think that Rémi and/or William probably remember the reason), and it ended up dropping "auto". Alternately maybe instead of enabling for all certs, what would be useful would be to just change the default, because if you have 100k certs, it's likely that 99.9k work one way and the other ones the other way, and what you want is to indicate the default and only mention the exception for those concerned. Willy
