The ocsp-update option should be between brackets
/etc/haproxy/ssl/mangadex.dev.pem [ocsp-update on] mangadex.dev
*.mangadex.dev
Oh that makes more sense indeed; should have guessed so since other
crt-list bind params used those indeed...
- does the OCSP update mechanism update the files on-disk?
No we never write anything on disk.
[...]
- if not, what happens if upon restart/reload of HAProxy the .ocsp
file is outdated? will HAProxy aggressively try to get an up-to-date
response before starting its listeners or will I be risking ssl issues
by enabling OCSP must-staple with it?
The OCSP update mechanism will not block anything, it runs alongside all
the "regular" HAProxy tasks.
If I remember correctly, you cannot load outdated OCSP responses so you
should not face this particular problem. But if you have many
certificates for which OCSP update was activated and no OCSP response
was provided, fetching all the missing responses will indeed take some
time and OCSP stapling will temporarily fail for the given server
certificates.
Hmm, I understand why it was decided to go that route, and indeed that
is probably not too too hard to do... Though I can't help wonder if an
opt-in mechanism similar to the server state file would make sense for it?
Either way, it all worked flawlessly within these constraints after
putting the brackets, so that's great. Thanks.
Tristan
