On Mon, Apr 28, 2025 at 11:58:53AM +0200, Willy Tarreau wrote: > Subject: Re: [ANNOUNCE] haproxy-3.2-dev12 > On Mon, Apr 28, 2025 at 11:44:16AM +0200, William Lallemand wrote: > > On Mon, Apr 28, 2025 at 08:16:22AM +0200, William Lallemand wrote: > > > Subject: Re: [ANNOUNCE] haproxy-3.2-dev12 > > > On Sat, Apr 26, 2025 at 07:50:03AM +0200, Willy Tarreau wrote: > > > > > > > > Also I think such a feature independent from acme is still useful. I've > > > > long wanted to have a "show ssl cert" sorted by expiration dates, with > > > > an optional filter to list only those expiring in less than XXX seconds > > > > or hours. This allows to perform basic monitoring that sends you a > > > > message when it's time to renew them (or just to change the symlink on > > > > the FS so that haproxy.org doesn't emit an error on the renewal day > > > > ;-)). > > > > > > There's already the "show ssl sni" command > > > (https://docs.haproxy.org/dev/management.html#show%20ssl%20sni) which is > > > able > > > to filter by expiration date. We could improve the command to add an > > > offset > > > though. > > > > > > -- > > > William Lallemand > > > > > > > > > > I just pushed this patch which allows a new offset option to 'show ssl sni': > > https://github.com/haproxy/haproxy/commit/83975f34e40492aef6d62b6804da202a939e329a > > Awesome, thanks! It's just not intuitive to me (as a user) why I should > consult them by SNI and not just by cert, but I guess this is related to > the way they are internally indexed.
That's because this is 'debugging' command which shows which SNI are applied on bind line with there expiration dates. It is useful to verify if there are multiple certificates with the same SNI on a bind line for example. We could have new options on the 'show ssl cert' command later. -- William Lallemand
