Re: [ANNOUNCE] haproxy-3.2-dev12

Fri, 25 Apr 2025 22:50:44 -0700 

On Fri, Apr 25, 2025 at 12:24:35PM +0200, William Lallemand wrote:
> On Fri, Apr 25, 2025 at 12:15:23PM +0200, Alex wrote:
> > Subject: Re: [ANNOUNCE] haproxy-3.2-dev12
> > Hi.
> > 
> > On Fri, 25 Apr 2025 11:08:22 +0200 Willy Tarreau <w...@1wt.eu> wrote:
> > 
> > > On Fri, Apr 25, 2025 at 11:06:10AM +0200, William Lallemand wrote:
> > > > On Fri, Apr 25, 2025 at 10:56:45AM +0200, Willy Tarreau wrote:
> > > > > - on the ACME front, the few previously envisioned syntax changes
> > > > > were merged ("account" -> "account-key", "uri" -> "directory").
> > > > > The automated renewal scheduler now considers the advertised
> > > > > "Retry-After" in responses to avoid needlessly flooding the
> > > > > servers with requests.
> > > > 
> > > > Just to be more precise, there are no "automated renewal
> > > > scheduler", renewal of certificates is started with the "acme
> > > > renew" command. There will be a scheduler at some point though.
> > > 
> > > Sorry for the poor wording, I meant to say that it goes through the
> > > different steps by itself, but indeed, you have to start it!
> > > Thanks for clarifying that one.
> > 
> > Does this mean that there will be an overview in HAP which ACME
> > Certificate is in what state and when it will be renewed?
> > 
> > Something like this
> > 
> > ```
> > acme status
> > 
> > cert        state   expire  update-in
> > www.exampel.com     active  2025-05-01      2d
> > www.exampel.com     pending 2025-05-03      -
> > ```
> 
> This probably won't be in 3.2, there's too little time for this, that's why
> everything is marked as experimental for now. But we will probably have
> something like this yes.

Also I think such a feature independent from acme is still useful. I've
long wanted to have a "show ssl cert" sorted by expiration dates, with
an optional filter to list only those expiring in less than XXX seconds
or hours. This allows to perform basic monitoring that sends you a
message when it's time to renew them (or just to change the symlink on
the FS so that haproxy.org doesn't emit an error on the renewal day ;-)).

Willy

Reply via email to