Am 05.06.2023 um 10:08 schrieb William Lallemand:
As I explained in my previous mail, the option was not set on the bind
lines because of architectural problems, but you could expect to have a
way to do it globally in future versions.
thanks a lot for this information.
I will wait then to have
On Sat, 3 Jun 2023 at 14:30, William Lallemand wrote:
> That's what we've done in the first place, but I decided to remove it
> because I was not happy with the architecture. And once you have
> something like this, you have to keep the configuration compatibility
> for the next versions and then
Hello,
On Sat, Jun 03, 2023 at 04:28:30PM -0600, Shawn Heisey wrote:
> On 6/3/23 15:37, Shawn Heisey wrote:
> > On 6/3/23 15:28, Shawn Heisey wrote:
> >> So maybe a completely separate global option makes sense. The
> >> crt-list requirement is not really a burden for me, but for someone
> >>
On 6/3/23 15:37, Shawn Heisey wrote:
On 6/3/23 15:28, Shawn Heisey wrote:
So maybe a completely separate global option makes sense. The
crt-list requirement is not really a burden for me, but for someone
who uses a LOT of certificates that change frequently, it probably
would become a
On 6/3/23 15:28, Shawn Heisey wrote:
So maybe a completely separate global option makes sense. The crt-list
requirement is not really a burden for me, but for someone who uses a
LOT of certificates that change frequently, it probably would become a
burden.
Unless it is possible to have a
On 6/2/23 14:42, Lukas Tribus wrote:
I suggest we make it configurable on the bind line like other ssl
options, so it will work for the common use cases that don't involve
crt-lists, like a simple crt statement pointing to a certificate or a
directory.
It could also be a global option *as
> On 2023-06-02 (Fr.) 22:42, Lukas Tribus wrote:
> > I suggest we make it configurable on the bind line like other ssl
> > options, so it will work for the common use cases that don't involve
> > crt-lists, like a simple crt statement pointing to a certificate or a
> > directory.
> >
That's what
On Sat, Jun 03, 2023 at 01:50:48PM +0200, William Lallemand wrote:
> On Thu, Jun 01, 2023 at 11:42:34PM +0200, Willy Tarreau wrote:
> > So this means that the doc is still not clear enough and we need to
> > improve this. And indeed, I'm myself confused because William told me
> > a few days ago
On Fri, Jun 02, 2023 at 09:55:25PM +0200, Willy Tarreau wrote:
> On Fri, Jun 02, 2023 at 01:29:31PM +0300, Matthias Fechner wrote:
> > Am 02.06.2023 um 04:13 schrieb Shawn Heisey:
> > > @Matthias I have no idea whether crt-list can load all certs in a
> > > directory like crt can. If it can't,
On Thu, Jun 01, 2023 at 11:42:34PM +0200, Willy Tarreau wrote:
> So this means that the doc is still not clear enough and we need to
> improve this. And indeed, I'm myself confused because William told me
> a few days ago that "ocsp-update" was for crt-list lines only and it's
> found in the "bind
Hi.
On 2023-06-02 (Fr.) 22:42, Lukas Tribus wrote:
On Fri, 2 Jun 2023 at 21:55, Willy Tarreau wrote:
Initially during the design phase we thought about having 3 states:
"off", "on", "auto", with the last one only enabling updates for certs
that already had a .ocsp file. But along discussions
On Fri, 2 Jun 2023 at 21:55, Willy Tarreau wrote:
> Initially during the design phase we thought about having 3 states:
> "off", "on", "auto", with the last one only enabling updates for certs
> that already had a .ocsp file. But along discussions with some users
> we were told that it was not
On Fri, Jun 02, 2023 at 01:29:31PM +0300, Matthias Fechner wrote:
> Am 02.06.2023 um 04:13 schrieb Shawn Heisey:
> > @Matthias I have no idea whether crt-list can load all certs in a
> > directory like crt can. If it can't, then you will probably need a
> > script for starting/restarting haproxy
Am 02.06.2023 um 04:13 schrieb Shawn Heisey:
@Matthias I have no idea whether crt-list can load all certs in a
directory like crt can. If it can't, then you will probably need a
script for starting/restarting haproxy that generates the cert list
file. If you wantthat script to be
On 6/1/23 16:19, Shawn Heisey wrote:
I asked ChatGPT for help, and with that info, I was able to work out
what to do.
-
elyograg@smeagol:/etc/haproxy$ cat crt-list.txt
/etc/ssl/certs/local/REDACTED1.combined.pem [ocsp-update on]
/etc/ssl/certs/local/REDACTED2.combined.pem [ocsp-update on]
-
On 6/1/23 15:42, Willy Tarreau wrote:
So this means that the doc is still not clear enough and we need to
improve this. And indeed, I'm myself confused because William told me
a few days ago that "ocsp-update" was for crt-list lines only and it's
found in the "bind line options" section. And of
On Thu, Jun 01, 2023 at 03:30:36PM -0600, Shawn Heisey wrote:
> On 5/31/23 23:25, Matthias Fechner wrote:
> > I just saw in the release notes for 2.8 that an automatic OCSP renewal
> > is now included and I would like to get rid of my manual scripts that
> > are currently injecting the OCSP
On 5/31/23 23:25, Matthias Fechner wrote:
I just saw in the release notes for 2.8 that an automatic OCSP renewal
is now included and I would like to get rid of my manual scripts that
are currently injecting the OCSP information.
I checked a little bit the documentation here:
18 matches
Mail list logo
