Hi Igor, On 11/27/18 12:48 AM, Igor Cicimov wrote: > Hi Moemen, > > On Tue, Nov 27, 2018 at 1:24 AM Moemen MHEDHBI <mmhed...@haproxy.com> wrote: >> On 11/14/18 1:34 AM, Igor Cicimov wrote: >> >> On Sun, Nov 11, 2018 at 2:48 PM Igor Cicimov >> <ig...@encompasscorporation.com> wrote: >>> Hi, >>> >>> # haproxy -v >>> HA-Proxy version 1.8.14-1ppa1~xenial 2018/09/23 >>> Copyright 2000-2018 Willy Tarreau <wi...@haproxy.org> >>> >>> I noticed that in case of multiple domains and OCSP setup: >>> >>> # ls -1 /etc/haproxy/ssl.d/*.ocsp >>> /etc/haproxy/ssl.d/star_domain2_com.crt.ocsp >>> /etc/haproxy/ssl.d/star_domain_com.crt.ocsp >>> /etc/haproxy/ssl.d/star_domain3_com.crt.ocsp >>> /etc/haproxy/ssl.d/star_domain4_com.crt.ocsp >>> >>> I get OCSP response from haproxy only for one of the domains >>> domain.com. Tested via: >>> >>> $ echo | openssl s_client -connect domain[234].com:443 -tlsextdebug >>> -status -servername domain[234].com >>> >>> Is this expected? >> Any comments/ideas regarding this? Further noticed that OCSP code probably >> does not check the certificates SANs and matches only based on the CN in the >> subject since the calls to whatever.domain.tld get stapled but to domain.tld >> do not. >> >> Hi Igor, >> >> Testing OCSP on multiple certificates with different domains (based on the >> CN) works correctly for me. (a.domain.com, b.domain.com, c.domain.com) >> >> Are you using multiple certs with same CN but different SANs ? > The certificates belong to completely separate domains, so not > subdomains of the same domain like in your case. They are also > wildcard certs so here is the layout: > > # ls -1 /etc/haproxy/ssl.d/ > star_domain1_com.crt > star_domain1_com.crt.ocsp > star_domain2_com.crt > star_domain2_com.crt.ocsp > star_domain3_com.crt > star_domain3_com.crt.ocsp > > # for i in `ls -1 /etc/haproxy/ssl.d/*.crt`; do openssl x509 -noout > -subject -in $i; done > subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com > subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain2.com > subject= /C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain3.com > > The SAN only contains the certificates domain and nothing else, for > example for domain3.com: > > X509v3 Subject Alternative Name: > DNS:*.domain3.com, DNS:domain3.com > > The haproxy bind line in the frontend looks like: > > bind *:443 ssl crt /etc/haproxy/ssl.d/ ... > > And here is the output of the daily cronjob that updates the OCSP for haproxy: > > Date: Mon, 26 Nov 2018 05:00:01 +0000 (GMT) > > /etc/haproxy/ssl.d/star_domain1_com.crt: good > This Update: Nov 25 17:39:11 2018 GMT > Next Update: Dec 2 16:54:11 2018 GMT > OCSP Response updated! > /etc/haproxy/ssl.d/star_domain2_com.crt: good > This Update: Nov 24 20:49:57 2018 GMT > Next Update: Dec 1 20:04:57 2018 GMT > OCSP Response updated! > /etc/haproxy/ssl.d/star_domain3_com.crt: good > This Update: Nov 25 14:09:00 2018 GMT > Next Update: Dec 2 13:24:00 2018 GMT > OCSP Response updated! > > I can confirm this is working as intended on other serves I have with > 1.7.11 and 1.8.14, so it must be something specific to this one that I > struggle to understand (to be even more confusing it is all being > setup by Ansible in same way as everywhere else). > > Under what circumstances would a setup like this not work in terms of > OCSP? Example: > > $ echo | openssl s_client -connect server:443 -tlsextdebug -status > -servername domain1.com | grep -E 'OCSP|domain1' > depth=0 C = AU, ST = New South Wales, L = Sydney, O = My Company, CN = > *.domain1.com > verify return:1 > DONE > OCSP response: no response sent > 0 s:/C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com > subject=/C=AU/ST=New South Wales/L=Sydney/O=My Company/CN=*.domain1.com > > Thanks for your input by the way, very much appreciated.
If I am understanding this correctly when you use the naked domain 'domain1.com', you don't get an OCSP response (despite mentioning the domain in the SAN extension). Is this the case for all the domains or only one of them ? I am asking this since you're mentioning multiple domains. I was testing the same config with HA-Proxy version 1.8.14 2018/09/20 without being able to reproduce this. $ echo quit | openssl s_client -connect localhost:443 -servername 'example.org' -status | egrep 'OCSP|example' OCSP response: OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response OCSP Nonce: subject=/C=FR/ST=PARIS/O=MMH/OU=server/CN=*.example.org I only get " no response sent" when the "naked" domain is not mentioned in the SAN which is expected. > I can confirm this is working as intended on other serves I have with > 1.7.11 and 1.8.14, so it must be something specific to this one that I > struggle to understand (to be even more confusing it is all being > setup by Ansible in same way as everywhere else). Ok so no surprise that I cannot reproduce this since I am using 1.8.14 (latest release of the 1.8 branch) and your confirm that you don't have issues with this version, but rather with the 1.8.14-1ppa1~xenial version (from Vincent Bernat PPA I suppose). What is strange is that I am expecting 1.8.14-1ppa1~xenial to be the same as HA-Proxy version 1.8.14 2018/09/20. I will double check though and get back to you. Regards, -- Moemen MHEDHBI
