Re: OCSP update restarts all proxies

On 10/4/23 09:18, William Lallemand wrote: Nothing in haproxy initiate a service reload, are sure you don't have an external process which is doing it? The systemd support within HAProxy is only meant to provide a status to systemd, it does not send it actions. I found the issue. I am not

Re: OCSP update restarts all proxies

On Wed, Oct 04, 2023 at 08:52:39AM -0600, Shawn Heisey wrote: > On 10/4/23 05:34, Remi Tricot-Le Breton wrote: > > You just have to run the following commands : > > > > $ echo "update ssl ocsp-response " | socat > > /path_to_socket/haproxy.sock - > > When I do this, the update is successful and

Re: OCSP update restarts all proxies

On 10/4/23 05:34, Remi Tricot-Le Breton wrote: You just have to run the following commands : $ echo "update ssl ocsp-response " | socat /path_to_socket/haproxy.sock - When I do this, the update is successful and shows in the logfile created by rsyslogd ... but unlike when haproxy does the

Re: OCSP update restarts all proxies

On 04/10/2023 03:05, Shawn Heisey wrote: On 10/3/23 01:33, Remi Tricot-Le Breton wrote: This command relies on the same task that performs the automatic update. What it does is basically add the certificate at the top of the task's update list and wakes it up. The update is asynchronous so we

Re: OCSP update restarts all proxies

On 10/3/23 01:33, Remi Tricot-Le Breton wrote: This command relies on the same task that performs the automatic update. What it does is basically add the certificate at the top of the task's update list and wakes it up. The update is asynchronous so we can't return a status to the CLI command.

Re: OCSP update restarts all proxies

On 30/09/2023 09:20, Shawn Heisey wrote: On 9/28/23 02:29, Remi Tricot-Le Breton wrote: That's really strange, the OCSP update mechanism does not have anything to do with proxies. Are you sure you did not have a crash and autorestart of your haproxy ? I did not think that I had autorestart

Re: OCSP update restarts all proxies

On 9/28/23 02:29, Remi Tricot-Le Breton wrote: That's really strange, the OCSP update mechanism does not have anything to do with proxies. Are you sure you did not have a crash and autorestart of your haproxy ? I did not think that I had autorestart for haproxy, but it turns out that the

Re: OCSP update restarts all proxies

Hello, On 28/09/2023 00:30, Shawn Heisey wrote: The haproxy -vv output is at the end of this message. I got the built-in OCSP udpating mechanism working.  Works beautifully. Today I discovered that once an hour when the OCSP gets updated, haproxy stops all its proxies and starts them back

Re: OCSP update mechanism startup

On 07/07/2023 18:24, Willy Tarreau wrote: On Fri, Jul 07, 2023 at 03:42:58PM +, Tristan wrote: Also personally I have never understood the point of default server certs... besides getting unwanted attention from censys/shodan/etc... I remember some users who were hosting many

Re: OCSP update mechanism startup

On Fri, Jul 07, 2023 at 03:42:58PM +, Tristan wrote: > Also personally I have never understood the point of default server certs... > besides getting unwanted attention from censys/shodan/etc... I remember some users who were hosting many applications from internal subsidiaries wanted to make

Re: OCSP update mechanism startup

On 07/07/2023 16:34, Willy Tarreau wrote: On Fri, Jul 07, 2023 at 03:06:52PM +, Tristan wrote: The ocsp-update option should be between brackets /etc/haproxy/ssl/mangadex.dev.pem [ocsp-update on] mangadex.dev *.mangadex.dev Oh that makes more sense indeed; should have guessed so since

Re: OCSP update mechanism startup

On Fri, Jul 07, 2023 at 03:06:52PM +, Tristan wrote: > > The ocsp-update option should be between brackets > > /etc/haproxy/ssl/mangadex.dev.pem [ocsp-update on] mangadex.dev > > *.mangadex.dev > > Oh that makes more sense indeed; should have guessed so since other crt-list > bind params used

Re: OCSP update mechanism startup

The ocsp-update option should be between brackets /etc/haproxy/ssl/mangadex.dev.pem [ocsp-update on] mangadex.dev *.mangadex.dev Oh that makes more sense indeed; should have guessed so since other crt-list bind params used those indeed... - does the OCSP update mechanism update the files

Re: OCSP update mechanism startup

Hello Tristan, On 06/07/2023 13:24, Tristan wrote: Hello, I'm trying to make use of the new ocsp-update mechanism, and finding no success (yet). I've migrated my crt bind arguments to a crt-list argument (+ relevant file) and that loads in and gets used fine, but despite having

Re: OCSP renewal with 2.8

Am 05.06.2023 um 10:08 schrieb William Lallemand: As I explained in my previous mail, the option was not set on the bind lines because of architectural problems, but you could expect to have a way to do it globally in future versions. thanks a lot for this information. I will wait then to have

Re: OCSP renewal with 2.8

On Sat, 3 Jun 2023 at 14:30, William Lallemand wrote: > That's what we've done in the first place, but I decided to remove it > because I was not happy with the architecture. And once you have > something like this, you have to keep the configuration compatibility > for the next versions and then

Re: OCSP renewal with 2.8

Hello, On Sat, Jun 03, 2023 at 04:28:30PM -0600, Shawn Heisey wrote: > On 6/3/23 15:37, Shawn Heisey wrote: > > On 6/3/23 15:28, Shawn Heisey wrote: > >> So maybe a completely separate global option makes sense.  The > >> crt-list requirement is not really a burden for me, but for someone > >>

Re: OCSP renewal with 2.8

On 6/3/23 15:37, Shawn Heisey wrote: On 6/3/23 15:28, Shawn Heisey wrote: So maybe a completely separate global option makes sense.  The crt-list requirement is not really a burden for me, but for someone who uses a LOT of certificates that change frequently, it probably would become a

Re: OCSP renewal with 2.8

On 6/3/23 15:28, Shawn Heisey wrote: So maybe a completely separate global option makes sense.  The crt-list requirement is not really a burden for me, but for someone who uses a LOT of certificates that change frequently, it probably would become a burden. Unless it is possible to have a

Re: OCSP renewal with 2.8

On 6/2/23 14:42, Lukas Tribus wrote: I suggest we make it configurable on the bind line like other ssl options, so it will work for the common use cases that don't involve crt-lists, like a simple crt statement pointing to a certificate or a directory. It could also be a global option *as

Re: OCSP renewal with 2.8

> On 2023-06-02 (Fr.) 22:42, Lukas Tribus wrote: > > I suggest we make it configurable on the bind line like other ssl > > options, so it will work for the common use cases that don't involve > > crt-lists, like a simple crt statement pointing to a certificate or a > > directory. > > That's what

Re: OCSP renewal with 2.8

On Sat, Jun 03, 2023 at 01:50:48PM +0200, William Lallemand wrote: > On Thu, Jun 01, 2023 at 11:42:34PM +0200, Willy Tarreau wrote: > > So this means that the doc is still not clear enough and we need to > > improve this. And indeed, I'm myself confused because William told me > > a few days ago

Re: OCSP renewal with 2.8

On Fri, Jun 02, 2023 at 09:55:25PM +0200, Willy Tarreau wrote: > On Fri, Jun 02, 2023 at 01:29:31PM +0300, Matthias Fechner wrote: > > Am 02.06.2023 um 04:13 schrieb Shawn Heisey: > > > @Matthias I have no idea whether crt-list can load all certs in a > > > directory like crt can.  If it can't,

Re: OCSP renewal with 2.8

On Thu, Jun 01, 2023 at 11:42:34PM +0200, Willy Tarreau wrote: > So this means that the doc is still not clear enough and we need to > improve this. And indeed, I'm myself confused because William told me > a few days ago that "ocsp-update" was for crt-list lines only and it's > found in the "bind

Re: OCSP renewal with 2.8

Hi. On 2023-06-02 (Fr.) 22:42, Lukas Tribus wrote: On Fri, 2 Jun 2023 at 21:55, Willy Tarreau wrote: Initially during the design phase we thought about having 3 states: "off", "on", "auto", with the last one only enabling updates for certs that already had a .ocsp file. But along discussions

Re: OCSP renewal with 2.8

On Fri, 2 Jun 2023 at 21:55, Willy Tarreau wrote: > Initially during the design phase we thought about having 3 states: > "off", "on", "auto", with the last one only enabling updates for certs > that already had a .ocsp file. But along discussions with some users > we were told that it was not

Re: OCSP renewal with 2.8

On Fri, Jun 02, 2023 at 01:29:31PM +0300, Matthias Fechner wrote: > Am 02.06.2023 um 04:13 schrieb Shawn Heisey: > > @Matthias I have no idea whether crt-list can load all certs in a > > directory like crt can.  If it can't, then you will probably need a > > script for starting/restarting haproxy

Re: OCSP renewal with 2.8

Am 02.06.2023 um 04:13 schrieb Shawn Heisey: @Matthias I have no idea whether crt-list can load all certs in a directory like crt can.  If it can't, then you will probably need a script for starting/restarting haproxy that generates the cert list file.  If you wantthat script to be

Re: OCSP renewal with 2.8

On 6/1/23 16:19, Shawn Heisey wrote: I asked ChatGPT for help, and with that info, I was able to work out what to do. - elyograg@smeagol:/etc/haproxy$ cat crt-list.txt /etc/ssl/certs/local/REDACTED1.combined.pem [ocsp-update on] /etc/ssl/certs/local/REDACTED2.combined.pem [ocsp-update on] -

Re: OCSP renewal with 2.8

On 6/1/23 15:42, Willy Tarreau wrote: So this means that the doc is still not clear enough and we need to improve this. And indeed, I'm myself confused because William told me a few days ago that "ocsp-update" was for crt-list lines only and it's found in the "bind line options" section. And of

Re: OCSP renewal with 2.8

On Thu, Jun 01, 2023 at 03:30:36PM -0600, Shawn Heisey wrote: > On 5/31/23 23:25, Matthias Fechner wrote: > > I just saw in the release notes for 2.8 that an automatic OCSP renewal > > is now included and I would like to get rid of my manual scripts that > > are currently injecting the OCSP

Re: OCSP renewal with 2.8

On 5/31/23 23:25, Matthias Fechner wrote: I just saw in the release notes for 2.8 that an automatic OCSP renewal is now included and I would like to get rid of my manual scripts that are currently injecting the OCSP information. I checked a little bit the documentation here:

Re: OCSP with dynamic SSL storage

On Fri, Nov 05, 2021 at 01:30:53PM +0100, Marco Corte wrote: > Subject: Re: OCSP with dynamic SSL storage > > Il 2021-11-05 13:11 Marco Corte ha scritto: > > Hi all. > > > > I have a bind section that contains > > ... ssl crt ZZZ.pem ... > > &g

Re: OCSP with dynamic SSL storage

Il 2021-11-05 13:11 Marco Corte ha scritto: Hi all. I have a bind section that contains ... ssl crt ZZZ.pem ... where ZZZ.pem is actually a full path. If I upload a new certificate/key to ZZZ.pem and a corresponding OCSP response to ZZZ.pem.ocsp and do a # systemctl reload

Re: OCSP stapling for intermediate certificate? (solved)

Hi, I just wanted to let y’all know that I figured out that it’s not a problem of me doing something wrong or haproxy doing something wrong – it’s the browsers. I found the answer on this page https://www.aaronpeters.nl/blog/ev-certificates-make-the-web-slow-and-unreli able/ : “Chrome always

Re: OCSP stapling with multiple domains

@list: sorry for the incorrect subject in my previous answer. At some point the subject changed when email was saved and encrypted in Drafts. On 28/11/2018 18:59, Moemen MHEDHBI wrote: > Hi Igor, > > On 11/27/18 12:48 AM, Igor Cicimov wrote: >> Hi Moemen, >> >> On Tue, Nov 27, 2018 at 1:24 AM

Re: OCSP stapling with multiple domains

Hi Moemen, On Tue, Nov 27, 2018 at 1:24 AM Moemen MHEDHBI wrote: > > > On 11/14/18 1:34 AM, Igor Cicimov wrote: > > On Sun, Nov 11, 2018 at 2:48 PM Igor Cicimov > wrote: >> >> Hi, >> >> # haproxy -v >> HA-Proxy version 1.8.14-1ppa1~xenial 2018/09/23 >> Copyright 2000-2018 Willy Tarreau >> >>

Re: OCSP stapling with multiple domains

On 11/14/18 1:34 AM, Igor Cicimov wrote: > On Sun, Nov 11, 2018 at 2:48 PM Igor Cicimov > > wrote: > > Hi, > > # haproxy -v > HA-Proxy version 1.8.14-1ppa1~xenial 2018/09/23 > Copyright 2000-2018 Willy Tarreau

Re: OCSP stapling with multiple domains

On Sun, Nov 11, 2018 at 2:48 PM Igor Cicimov wrote: > Hi, > > # haproxy -v > HA-Proxy version 1.8.14-1ppa1~xenial 2018/09/23 > Copyright 2000-2018 Willy Tarreau > > I noticed that in case of multiple domains and OCSP setup: > > # ls -1 /etc/haproxy/ssl.d/*.ocsp >

Re: OCSP response missing in v1.8

Hello Valter, On Fri, Mar 30, 2018 at 09:43:03PM +0300, Valter Jansons wrote: > Hello, > > > I seem to have also narrowed this down to being some compatibility > > issue when using the OpenSSL package distributed for Ubuntu 14.04 > > Trusty (officially set to EOL in April 2019). That thing is

Re: OCSP response missing in v1.8

Hello, > I seem to have also narrowed this down to being some compatibility > issue when using the OpenSSL package distributed for Ubuntu 14.04 > Trusty (officially set to EOL in April 2019). That thing is left > behind on 1.0.1f with security updates being ported from upstream, > but seemingly

Re: OCSP response missing in v1.8

Hello, > Running a quick Git Bisect reveals > f6b37c67be277b5f0ae60438d796ff29ef19be40 introduced this regression > in the haproxy-1.8 tree. I seem to have also narrowed this down to being some compatibility issue when using the OpenSSL package distributed for Ubuntu 14.04 Trusty (officially set

Re: OCSP stapling with multiple certificates

On Wed, Sep 20, 2017 at 4:00 PM, Jarno Huuskonen wrote: > Hi, > > On Wed, Sep 20, Igor Cicimov wrote: > > I've been running haproxy with OCSP stapling for some time with a single > > ssl certificate. Now I'm trying to enable the same for multiple > > certificates but am

Re: OCSP stapling with multiple certificates

Hi, On Wed, Sep 20, Igor Cicimov wrote: > I've been running haproxy with OCSP stapling for some time with a single > ssl certificate. Now I'm trying to enable the same for multiple > certificates but am getting an error: > > OCSP single response: Certificate ID does not match any certificate or

Re: ocsp

Hi, i did tests you want. see below for answers. On Mon, 20 Jul 2015 17:42:03 +0200, Lukas Tribus luky...@hotmail.com wrote : Hi Lukas, frontend cluster:443 bind 1.2.3.4:443 ssl strict-sni crt /home/provisionning/0.pem crt /home/provisionning/cluster.d default_backend cluster

Re: ocsp

Hi, On Mon, 20 Jul 2015 11:50:50 +0200, Marc-Antoine marc-antoine.b...@ovh.net wrote : Hi Lukas, frontend cluster:443 bind 1.2.3.4:443 ssl strict-sni crt /home/provisionning/0.pem crt /home/provisionning/cluster.d default_backend cluster capture request header Host len 255

Re: ocsp

Hi Lukas, I used only one pem file per frontend instead of pem directory : frontend cluster1:443 bind 1.2.3.4:443 ssl crt /home/provisionning/cluster1.d/8640.pem default_backend cluster1 Regards, On Mon, 20 Jul 2015 20:18:10 +0200, Lukas Tribus luky...@hotmail.com wrote : Hi Lukas,

RE: ocsp

Hi Lukas, I made a mistake in my previous email : it works locally AND remotely ! What fixed the problem? This may be useful for others as well. Lukas

Re: ocsp

Hi Lukas, I made a mistake in my previous email : it works locally AND remotely ! Regards, On Mon, 20 Jul 2015 19:04:24 +0200, Lukas Tribus luky...@hotmail.com wrote : Hi Marc, Hi Lukas, great intuition :) --- CONNECTED(0003) TLS server extension server name (id=0),

RE: ocsp

Hi Lukas, frontend cluster:443 bind 1.2.3.4:443 ssl strict-sni crt /home/provisionning/0.pem crt /home/provisionning/cluster.d default_backend cluster capture request header Host len 255 Can you confirm there is no SSL intercepting device in front of the webserver, like hardware

RE: ocsp

Hi Marc, Hi Lukas, great intuition :) --- CONNECTED(0003) TLS server extension server name (id=0), len=0 TLS server extension renegotiation info (id=65281), len=1 0001 - SPACES/NULS TLS server extension EC point formats (id=11), len=4 - 03 00 01 02 TLS server extension

Re: ocsp

Hi Marc-Antoine, no idea, sorry. Maybe some of our SSL experts may help :) Baptiste On Wed, Jul 15, 2015 at 11:06 AM, Marc-Antoine marc-antoine.b...@ovh.net wrote: Hi, nobody knows plz ? On Thu, 9 Jul 2015 13:06:59 +0200, Marc-Antoine marc-antoine.b...@ovh.net wrote : Hi all, I have

RE: ocsp

Hi Marc, Hi all, I have some problem making ocsp stapling working. here is what i did : I have 8150.pem with chain, cert and key in it. I have 8150.pem.ocsp that seems ok : # openssl ocsp -respin 8150.pem.ocsp -text -CAfile alphassl256.chain OCSP Response Data: OCSP Response Status:

Re: ocsp

Hi, nobody knows plz ? On Thu, 9 Jul 2015 13:06:59 +0200, Marc-Antoine marc-antoine.b...@ovh.net wrote : Hi all, I have some problem making ocsp stapling working. here is what i did : I have 8150.pem with chain, cert and key in it. I have 8150.pem.ocsp that seems ok : # openssl

Re: OCSP stapling troubleshooting

On 6/2/2015 12:38 PM, Andrew Hayworth wrote: Are you reloading HAProxy or issuing a 'set ssl ocsp-response' command via the stats socket after you retrieve the response? That's necessary after you pull down an updated OCSP response. For example, here's our script that pulls down the OCSP

Re: OCSP stapling troubleshooting

Are you reloading HAProxy or issuing a 'set ssl ocsp-response' command via the stats socket after you retrieve the response? That's necessary after you pull down an updated OCSP response. For example, here's our script that pulls down the OCSP response then loads it in via the stats socket:

Re: OCSP stapling troubleshooting

On Tue, Jun 2, 2015 at 2:16 PM, Shawn Heisey hapr...@elyograg.org wrote: My script may update a dozen ocsp responses all used by a single haproxy process ... so when I am using the stats socket to set the ocsp response, how do I tell haproxy which of the certificates it is using needs that

Re: OCSP stapling troubleshooting

On 6/2/2015 11:42 AM, Lukas Tribus wrote: Share your cronjob script, your configuration, and SSLtest output at least (you basically didn't share any OCSP related informations). Here's the script that retrieves the OCSP responses, with its redacted config file:

[SOLVED] Re: OCSP stapling troubleshooting

On 6/2/2015 1:29 PM, Andrew Hayworth wrote: On Tue, Jun 2, 2015 at 2:16 PM, Shawn Heisey hapr...@elyograg.org wrote: My script may update a dozen ocsp responses all used by a single haproxy process ... so when I am using the stats socket to set the ocsp response, how do I tell haproxy which of

Re: [SOLVED] Re: OCSP stapling troubleshooting

Awesome, glad it's all settled! On Tue, Jun 2, 2015 at 3:31 PM, Shawn Heisey hapr...@elyograg.org wrote: On 6/2/2015 1:29 PM, Andrew Hayworth wrote: On Tue, Jun 2, 2015 at 2:16 PM, Shawn Heisey hapr...@elyograg.org wrote: My script may update a dozen ocsp responses all used by a single haproxy

RE: OCSP stapling troubleshooting

Hi Shawn, I've done a Qualys Labs SSL test against my setup fronted with haproxy, using this URL: https://www.ssllabs.com/ssltest/index.html I thought I had OCSP stapling correctly configured, but Qualys says it's not there. I ave a cronjob that uses openssl to retrieve the .ocsp file

Re: OCSP stappling full support

No, Ha just replied with that same message to a ton of different threads on the mailing list. On Tue, Mar 24, 2015 at 6:10 AM, Pierre Ozoux pie...@ozoux.net wrote: Hi! I don't understand, do you mean that HAProxy OCSPStappling is easier now? Can you point to the documentation? Thanks,

Re: OCSP stappling full support

Hi! I don't understand, do you mean that HAProxy OCSPStappling is easier now? Can you point to the documentation? Thanks, Pierre Written with a mobile device, sorry for typos.. On 23 mars 2015, at 22:36, Ha Quan Le nlp...@shaw.ca wrote: Thank you for support, we have fixed our issues.

Re: OCSP stappling full support

Thank you for support, we have fixed our issues. Ha. - Original Message - From: Pierre Ozoux pie...@ozoux.net To: haproxy@formilux.org Sent: Friday, March 20, 2015 11:59:16 AM Subject: OCSP stappling full support Hi, HAProxy provides OCSP stapling since v1.5 and this is nice!

Re: OCSP Stapling update issue

Problem solved nc wasn’t working correctly on my linux distro switched to netcat and it started working properly On 26 Jul 2014, at 09:18, William Lewis m...@wlewis.co.uk wrote: Hi all, I’m trying to setup OCSP stapling for my setup, I’ve got it working on reload but am trying to use the

Re: OCSP and Startssl

Hi Igor, Hi, list I enable OCSP with empty .ocsp file, but it seems not work, https://www.ssllabs.com/ssltest/ reports OCSP No. If do openssl ocsp -issuer s.pem.issuer -cert s.pem -url http://ocsp.startssl.com/sub/class2/server/ca -header HOST ocsp.startssl.com -respout s.pem.ocsp, so